About the Authors
Dan Holme
A graduate of Yale University and Thunderbird, the American Graduate School of Inter-
national Management, Dan has spent 10 years as a consultant and trainer, delivering
solutions to tens of thousands of IT professionals from the most prestigious organiza-
tions and corporations around the world. His clients have included AT&T, Johnson &
Johnson, HP, Boeing, Home Depot, and Intel, and he has recently been involved in
supporting the design and implementation of Active Directory at several enterprises,
including Raytheon, NBC 10 Olympics, and General Electric. Dan is the Director of
Training & Consulting for Intelliem, which specializes in boosting the productivity of IT
professionals and users by creating advanced, customized solutions that integrate cli-
ents’ specific design and configuration into productivity-focused training and knowl-
edge management services (info@intelliem.com). From his base in sunny Arizona, Dan
travels to client sites around the world and then unwinds on his favorite mode of trans-
portation—his snowboard. It takes a village to raise a happy geek, and Dan sends
undying thanks and love to those without whom sanity would be out of reach: Lyman,
Barb & Dick, Bob & Joni, Stan & Marylyn & Sondra, the Friels, Mark & Derrick, Ken &
Craig, Curt & James, and Maddie. And an extra thanks from “Danny Dash” to Craig,
Antonio, Art, and all the Mikes of Torino for a medal-winning experience!
Orin Thomas
Orin is a writer, speaker, trainer, and systems administrator who works for the certifi-
cation advice Web site Certtutor.net. His work in IT has been varied: He’s done every-
thing from providing first-level networking support to acting as systems administrator
for one of Australia’s largest companies. He founded the Melbourne Infrastructure
Administrators group, writes regularly for Windows IT Pro magazine, and has co-
authored several books for Microsoft Press. He holds a variety of certifications and a
bachelor’s degree in science with honors from the University of Melbourne. Orin
would like to thank his beautiful wife Oksana and awesome son Rooslan for their con-
stant unconditional love and support. He’d also like to thank Karen Szall, Maria
Gargiulo, Ken Jones, Dan Holme, and the rest of the team at Microsoft for their help in
getting this second edition of the 70-290 training kit out the door.
About This Book
Welcome to MCSA/MCSE Self− Paced Training Kit (Exam 70− 290): Managing and Main−
taining a Microsoft Windows Server 2003 Environment, Second Edition. We have
designed this book to prepare you effectively for the MCSE examination and, along the
way, to share with you knowledge about what it takes to implement Windows Server
2003 in your enterprise network. We hope that by helping you understand the under-
lying technologies, the variety of options for configuring feature sets, and the complex
interaction among components, you are better equipped to tackle the challenges that
you face in the information technology (IT) trenches. We also hope to serve the com-
munity at large—to elevate the worth of the MCSE moniker—so that behind each cer-
tification is a knowledgeable, experienced, capable professional.
Intended Audience
This book was developed for IT professionals who plan to take the related Microsoft
Certified Professional (MCP) exam 70-290, Managing and Maintaining a Microsoft
Windows Server 2003 Environment, as well as for IT professionals who administer
computers running Microsoft Windows Server 2003.
Note Exam skills are subject to change without prior notice and at the sole discretion of
Microsoft.
Prerequisites
This training kit requires that students meet the following prerequisites:
■ A minimum of 12 to 18 months of experience administering Windows technolo-
gies in a network environment
■ An understanding of Microsoft Active Directory directory service and related tech-
nologies, including Group Policy
About the CD-ROM
For your use, this book includes a companion CD-ROM, which contains a variety of
informational aids to complement the book content:
■ The Microsoft Press Readiness Review Suite Powered by MeasureUp. This suite of
practice tests and objective reviews contains questions of varying degrees of
xxv
xxvi About This Book
complexity and offers multiple testing modes. You can assess your understanding
of the concepts presented in this book and use the results to develop a learning
plan that meets your needs.
■ An electronic version of this book (eBook). For information about using the
eBook, see the section, “The eBook,” later in this introduction.
■ An eBook of Microsoft Windows Scripting Self−Paced Learning Guide by Ed Wilson.
■ Sample chapters from several Microsoft Press books give you additional informa-
tion about Windows Server 2003 and introduce you to other resources that are
available from Microsoft Press.
■ An overview of Windows Server 2003 Service Pack 1 and Windows Server 2003 R2.
■ Documents about Windows x64 and 64-bit computing with Windows Server 2003.
■ Bonus material covering Software Update Services (SUS) and using VBScript to
automate user and group administration.
■ A free demo: “Answering Simulation Questions.”
■ Sample chapters from several Microsoft Press books that give you additional infor-
mation about Windows Server 2003 and introduce you to other resources that are
available from Microsoft Press.
■ Links to free e-Learning courses and clinics.
Two additional CD-ROMs contain a 180-day Evaluation Edition of Windows Server
2003 with SP1 and R2, Enterprise Edition. You will use SP1 to complete this training kit.
R2 is for you reference only; do not install R2 until you have completed the training kit
exercises.
Note The 180-day Evaluation Edition provided with this training kit is not the full retail prod-
uct and is provided only for the purposes of training and evaluation. Microsoft Technical Sup-
port does not support this evaluation edition.
For additional support information regarding this book and the CD-ROM (including
answers to commonly asked questions about installation and use), visit the Microsoft
Press Technical Support Web site at http://www.microsoft.com/mspress/support/. You
can also e-mail tkinput@microsoft.com or send a letter to Microsoft Press, Attention:
Microsoft Press Technical Support, One Microsoft Way, Redmond, WA 98052-6399.
About This Book xxvii
Features of This Book
This book has two parts. Use Part 1 to learn at your own pace and practice what you’ve
learned with practical exercises. Part 2 contains questions and answers that you can
use to test yourself on what you’ve learned.
Part 1: Learn at Your Own Pace
Each chapter identifies the exam objectives that are covered in the chapter, provides an
overview of why the topics matter by identifying how the information applies in the
real world, and lists any prerequisites that must be met to complete the lessons pre-
sented in the chapter.
The chapters contain a set of lessons. Lessons contain practices that include one or
more hands-on exercises. These exercises give you an opportunity to use the skills
being presented or explore the part of the application being described. Each lesson
also has a set of review questions to test your knowledge of the material covered in
that lesson. The answers to the questions are found in the “Questions and Answers”
section at the end of each chapter.
After the lessons, you are given an opportunity to apply what you’ve learned in a case-
scenario exercise. In this exercise, you work through a multistep solution for a realistic
case scenario. You are also given an opportunity to work through a troubleshooting lab
that explores difficulties you might encounter when applying what you’ve learned on
the job.
Each chapter ends with a summary of key concepts and a short section listing key top-
ics and terms that you need to know before taking the exam, summarizing the key
points with a focus on the exam.
Real World Helpful Information
You will find sidebars like this one that contain related information you might
find helpful. “Real World” sidebars contain specific information gained through
the experience of IT professionals just like you.
Part 2: Prepare for the Exam
Part 2 helps to familiarize you with the types of questions that you will encounter on
the MCP exam. By reviewing the objectives and the sample questions, you can focus
on the specific skills that you need to improve before taking the exam.
xxviii About This Book
See Also For a complete list of Microsoft cerification exams and their related objectives,
go to http://www.microsoft.com/learning/mcp/default.asp.
Part 2 is organized by the exam’s objectives. Each chapter covers one of the primary
groups of objectives, called Objective Domains. Each chapter lists the tested skills you
must master to answer the exam questions and includes a list of further readings to
help you improve your ability to perform the tasks or skills specified by the objectives.
Within each Objective Domain, you will find the related objectives that are covered on
the exam. Each objective provides you with several practice exam questions. The
answers are accompanied by explanations of each correct and incorrect answer.
On the CD These questions are also available on the companion CD as a practice test.
Informational Notes
Several types of reader aids appear throughout the training kit:
■ Tip contains methods of performing a task more quickly or in a not-so-obvious
way.
■ Important contains information that is essential to completing a task.
■ Note contains supplemental information.
■ Caution contains valuable information about possible loss of data; be sure to read
this information carefully.
■ Warning contains critical information about possible physical injury; be sure to
read this information carefully.
■ See Also contains references to other sources of information.
■ Planning contains hints and useful information that should help you to plan the
implementation.
■ Security Alert highlights information you need to know to maximize security in
your work environment.
■ Exam Tip flags information you should know before taking the certification
exam.
■ Off the Record contains practical advice about the real-world implications of
information presented in the lesson.
About This Book xxix
Notational Conventions
The following conventions are used throughout this book.
■ Characters or commands that you type appear in bold type.
■ Italic in syntax statements indicates placeholders for variable information. Italic is
also used for book titles.
■ Names of files and folders appear in Title caps, except when you are to type them
directly. Unless otherwise indicated, you can use all lowercase letters when you
type a file name in a dialog box or at a command prompt.
■ File name extensions appear in all lowercase.
■ Acronyms appear in all uppercase.
■ Monospace type represents code samples, examples of screen text, or entries that
you might type at a command prompt or in initialization files.
■ Square brackets [ ] are used in syntax statements to enclose optional items. For
example, [filename] in command syntax indicates that you can choose to type a
file name with the command. Type only the information within the brackets, not
the brackets themselves.
■ Braces { } are used in syntax statements to enclose required items. Type only the
information within the braces, not the braces themselves.
Keyboard Conventions
■ A plus sign (+) between two key names means that you must press those keys at
the same time. For example, “Press ALT+TAB” means that you hold down ALT while
you press TAB.
■ A comma ( , ) between two or more key names means that you must press each
of the keys consecutively, not together. For example, “Press ALT, F, X” means that
you press and release each key in sequence. “Press ALT+W, L” means that you first
press ALT and W at the same time and then release them and press L.
Getting Started
This training kit contains hands-on exercises to help you learn about implementing,
supporting, and troubleshooting Windows Server 2003 technologies. Use this section to
prepare your self-paced training environment. You can complete most of the exercises
on a single test computer in a lab environment. Several optional exercises require a
second computer running Windows Server 2003 or Windows XP, which must be con-
nected to each other on a network.
xxx About This Book
Caution Exercises, as well as the changes you make to your test computer, might have
undesirable results if you are connected to a larger network. Check with your network admin-
istrator before attempting these exercises.
Hardware Requirements
The test computer must have the following minimum configuration. All hardware
should be in the Windows Server Catalog, and should meet the requirements listed at
http://www.microsoft.com/windows/catalog/server/default.aspx.
■ Minimum CPU: 133 MHz processor (733 MHz is recommended)
■ Minimum RAM: 128 MB (256 MB is recommended; 64 GB maximum)
■ Disk space for setup: 1.5 GB to 2.0 GB
■ Free disk space for installation of WSUS: 10 GB
■ Display monitor capable of 800 × 600 resolution or higher
■ CD-ROM or DVD-ROM drive
■ Microsoft Mouse or compatible pointing device
Software Requirements
The following software is required to complete the procedures in this training kit:
■ Windows Server 2003 SP1, Enterprise Edition, (A 180-day Evaluation Edition of
Windows Server 2003 with SP1 and R2, Enterprise Edition, is included on the
CD-ROM.)
■ Windows XP Professional (Not included on the CD-ROM. Required in optional
hands-on exercises only.)
Caution The 180-day Evaluation Edition provided with this training kit is not the full retail
product and is provided only for the purposes of training and evaluation. Microsoft Technical
Support does not support evaluation editions. For additional support information regarding
this book and the CD-ROMs (including answers to commonly asked questions about installa-
tion and use), visit the Microsoft Press Technical Support Web site at http://www.microsoft
.com/learning/support/books/. You can also e-mail tkinput@microsoft.com or send a letter to
Microsoft Press, Attn: Microsoft Press Technical Support, One Microsoft Way, Redmond, WA
98052-6399.
About This Book xxxi
Setup Instructions
Set up your computer according to the manufacturer’s instructions. The server should
be configured as follows:
■ Windows Server 2003 SP1, Enterprise Edition
Important The evaluation edition software provided with this training kit includes Service
Pack 1. Install Service Pack 1 (CD1) to complete the exercises in this training kit. Do not
install R2 (CD2) until you have completed the exercises. This version of R2 is for your refer-
ence only. It is not covered in the 70-290 exam and therefore is not covered in this training kit.
■ Computer name: Server01
■ Domain controller in the domain contoso.com
■ 1 GB of unpartitioned disk drive space
If you are very comfortable with the installation of Windows Server 2003, you may con-
figure the server using the above guidelines. Otherwise you may use the more com-
prehensive setup instructions that are provided in Chapter 1, “Introducing Microsoft
Windows Server 2003.”
The second computer will act as a second server or a Windows XP client for the
optional hands-on exercises in the course. Chapters that require a second computer
will provide configuration guidance in the “Before You Begin” section of the chapter.
Caution If your computers are connected to a larger network, you must verify with your net-
work administrator that the computer names, domain names, and other information used in
setting up Windows Server 2003, as described above and in Chapter 1, do not conflict with
network operations. If they conflict, ask your network administrator to provide alternative val-
ues and use those values throughout all the exercises in this book.
The Microsoft Press Readiness Review Suite
The CD-ROM includes a practice test of 300 sample exam questions and an objective
review with an additional 125 questions. Use these tools to reinforce your learning and
to identify any areas in which you need to gain more experience before taking the
exam.
To install the practice test and objective review
1. Insert the companion CD-ROM into your CD-ROM drive.
xxxii About This Book
On the CD If AutoRun is disabled on your machine, refer to the Readme.txt file on the
CD-ROM.
2. Click Readiness Review Suite on the user interface menu and follow the prompts.
The eBook
The CD-ROM includes an electronic version of this training kit, an eBook for the
Microsoft Windows Scripting Self− Paced Learning Guide by Ed Wilson, and bonus
material, including sample chapters from several Microsoft Press books and relevant
white papers. The eBook and the bonus materials are in Portable Document Format
(PDF) and can be viewed using Adobe Reader.
To use the eBook
1. Insert the companion CD-ROM into your CD-ROM drive.
On the CD If AutoRun is disabled on your machine, refer to the Readme.txt file on the
CD-ROM.
2. Click eBook on the user interface menu. You can also review any of the other
PDFs that are provided.
The Microsoft Certified Professional Program
The Microsoft certifications provide the best method to prove your command of cur-
rent Microsoft products and technologies. The exams and corresponding certifications
are developed to validate your mastery of critical competencies as you design and
develop, or implement and support, solutions with Microsoft products and technolo-
gies. Computer professionals who become Microsoft-certified are recognized as
experts and are sought after industry-wide. Certification brings a variety of benefits to
the individual and to employers and organizations.
See Also For a full list of Microsoft certifications, go to http://www.microsoft.com/learning
/itpro/default.asp.
About This Book xxxiii
Technical Support
Every effort has been made to ensure the accuracy of this book and the contents of the
companion disc. If you have comments, questions, or ideas regarding this book or the
companion disc, please send them to Microsoft Press using either of the following
methods:
E-mail: tkinput@microsoft.com
Postal Mail: Microsoft Press
Attn: MCSA/MCSE Self−Paced Training Kit (Exam 70−290): Managing
and Maintaining a Microsoft Windows Server 2003 Environment, Second
Edition, Editor
One Microsoft Way
Redmond, WA 98052-6399
For additional support information regarding this book and the CD-ROM (including
answers to commonly asked questions about installation and use), visit the Microsoft
Press Technical Support Web site at http://www.microsoft.com/learning/support/books.
To connect directly to the Microsoft Press Knowledge Base and enter a query, visit http:
//www.microsoft.com/mspress/support/search.asp. For support information regarding
Microsoft software, please connect to http://support.microsoft.com/.
Evaluation Edition Software Support
The 180-day Evaluation Edition provided with this training is not the full retail product
and is provided only for the purposes of training and evaluation. Microsoft and
Microsoft Technical Support do not support this evaluation edition.
Caution The Evaluation Edition of Windows Server 2003 with SP1 and R2, Enterprise Edition,
that is included with this book should not be used on a primary work computer. The evaluation
edition is unsupported. For online support information relating to the full version of Windows
Server 2003 R2, Enterprise Edition, that might also apply to the Evaluation Edition, you can
connect to http://support.microsoft.com/.
Information about any issues relating to the use of this Evaluation Edition with this
training kit is posted to the Support section of the Microsoft Press Web site (http:
//www.microsoft.com/learning/support/books/). For information about ordering the
full version of any Microsoft software, please call Microsoft Sales at (800) 426-9400
or visit http://www.microsoft.com.
Part I
Learn at Your Own Pace
1 Introducing Microsoft
Windows Server 2003
This chapter does not cover specific exam objectives. After introducing the Microsoft
Windows Server 2003 family of products, this chapter covers some installation and con-
figuration considerations with a focus on what you need to know for the 70-290 certi-
fication exam.
Why This Chapter Matters
The purpose of this book is to empower you to manage and maintain a Microsoft
Windows Server 2003 environment, and to prepare you effectively for the 70-290
certification examination. Although it is assumed that you have experience with
Microsoft Windows technologies, the Windows Server 2003 family and Microsoft
Active Directory directory service itself might be new to you. The goal of this
chapter, therefore, is to introduce you to the multiple versions and editions of
Windows Server 2003, so that you can identify the key distinctions among them
and determine the mix of versions that will most effectively meet the needs of
your organization. You will then be guided through the process of installing and
configuring a computer that is running Windows Server 2003 and that functions
as a domain controller in an Active Directory domain.
Lessons in this Chapter:
■ Lesson 1: The Windows Server 2003 Family . . . . . . . . . . . . . . . . . . . . . . . . .1-4
■ Lesson 2: Installation and Configuration of Windows Server 2003 and
Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-10
Before You Begin
This chapter will guide you through the steps required to configure a computer run-
ning Windows Server 2003. You will be able to use that computer for the hands-on
exercises throughout this training kit. The computer should have at least one disk drive
that can be erased and used to install Windows Server 2003.
1-3
1-4 Chapter 1 Introducing Microsoft Windows Server 2003
Lesson 1: The Windows Server 2003 Family
Windows Server 2003 is, of course, more secure, more reliable, more available, and
easier to administer than any previous version of Windows. Let’s take a close look at
the platform and how it compares to Microsoft Windows 2000. This lesson provides a
brief overview of the Windows Server 2003 family, focusing on the differences among
the product editions: Web Edition, Standard Edition, Enterprise Edition, and Datacenter
Edition. The lesson also summarizes the enhancements introduced by Service Pack 1
(SP1) and Windows Server 2003 R2.
After this lesson, you will be able to
■ Recognize the security improvements introduced by SP1
■ Understand the role of Windows Server 2003 R2 in the product lifecycle
■ Identify the key differences among the Windows Server 2003 editions
Estimated lesson time: 5 minutes
Introducing the Windows Server 2003 Server Family
Windows Server 2003 is an incremental update to the platform and technologies intro-
duced in Windows 2000. If you are coming to Windows Server 2003 with experience
from Windows 2000 servers, you will find the transition a relatively easy one. If your
experience is with Microsoft Windows NT 4, welcome to the new world!
But don’t let the incremental nature of the updates mislead you; behind the upgrades are
significant and long-awaited improvements to the security and reliability of the operating
system and to the administrative toolset. In many books, this would be the place where
you would get a laundry list of new features. Actually, the Windows Server 2003 list is
extensive and there are features that make upgrading to Windows Server 2003 an obvi-
ous choice for almost any administrator. However, the particular features that appeal to
you might be different from those that appeal to another IT professional.
You might be drawn to the significant features and improvements added to Active
Directory, the new tools to support popular but complex Group Policy Objects
(GPOs), the enhancements to enterprise security, the improvements to Terminal Ser-
vices, or a number of other enhanced capabilities of the new operating system. If you
are considering a move to Windows Server 2003, take a good look through the
Microsoft Web site for the platform, at http://www.microsoft.com/windowsserver2003,
and judge for yourself which improvements are, in your environment, truly significant.
Lesson 1 The Windows Server 2003 Family 1-5
Service Pack 1
Windows Server 2003 SP1 enhances the security of Windows Server 2003 by enabling
administrators to install a server with a significant number of security updates already
integrated into the operating system. You can also apply SP1 to existing Windows Server
2003 installations. New features, including Windows Firewall, Post-Setup Security
Updates (PSSU), and the Security Configuration Wizard (SCW), reduce security vulnera-
bilities by closing ports and reducing attack surface during post-setup configuration and
based on a server’s role. Throughout this second edition of the training kit, we will dis-
cuss the important changes introduced by SP1.
On the CD You can learn more about SP1 by reading the Windows Server 2003 Service Pack 1
Product Overview on the CD-ROM accompanying this book.
Windows Server 2003 R2
Windows Server 2003 R2 further extends the Windows Server 2003 operating system by
delivering features that do the following:
■ Facilitate the management of servers in branch offices
■ Improve identity management across platforms, applications, and organizations
■ Simplify storage configuration and management
■ Support rich, high-performance Web applications
■ Enable cost-effective server virtualization
Windows Server 2003 R2 builds on the code base of Windows Server 2003 SP1. In fact,
the first CD-ROM of a Windows Server 2003 R2 installation set is Windows Server 2003
with SP1. The second CD-ROM provides the installation of new features.
Important The 70-290 exam includes SP1, but it does not test your knowledge of features
introduced by R2. Therefore, the practices in this book assume you have not installed R2 fea-
tures. If you choose to install R2 features, you might have to modify the steps in the practices.
On the CD You can learn more about Windows Server 2003 R2 by reading the Windows
Server 2003 R2 Overview Guide on the CD-ROM accompanying this book.
1-6 Chapter 1 Introducing Microsoft Windows Server 2003
Windows Server 2003 Editions
Although the list of features introduced by Windows Server 2003 SP1 and R2 is exten-
sive, the evaluation of the operating system becomes more interesting because Win-
dows Server 2003 is available in multiple flavors including the 32-bit, 64-bit, and
embedded versions. But the most important distinctions are those among the four
product editions, listed here in order of available features and functionality, as well as
by price:
■ Windows Server 2003, Web Edition
■ Windows Server 2003, Standard Edition
■ Windows Server 2003, Enterprise Edition
■ Windows Server 2003, Datacenter Edition
Web Edition
To position Windows Server 2003 more competitively against other Web servers,
Microsoft has released a stripped-down-yet-impressive edition of Windows Server 2003
designed specifically for Web services. The feature set and licensing allows customers
easy deployment of Web pages, Web sites, Web applications, and Web services.
Web Edition supports 2 gigabytes (GB) of RAM and a two-way symmetric multiproces-
sor (SMP). It provides unlimited anonymous Web connections but only 10 inbound
server message block (SMB) connections, which should be more than enough for con-
tent publishing. The server cannot be an Internet gateway, DHCP or fax server.
Although you can remotely administer the server with Remote Desktop, the server can-
not be a terminal server in the traditional sense of supporting multiple concurrent user
sessions. The server can belong to a domain but cannot be a domain controller.
Windows Server 2003 R2 is not available in a Web Edition.
Standard Edition
Windows Server 2003, Standard Edition, is a robust, multipurpose server capable of
providing directory, file, print, application, multimedia, and Web services for small to
medium-sized businesses. Its comprehensive feature set is expanded, compared to
Windows 2000, with a free, out-of-the-box Post Office Protocol version 3 (POP3) ser-
vice which, combined with the included Simple Mail Transfer Protocol (SMTP) service,
allows a server to function as a small, stand-alone mail server; and Network Load Bal-
ancing (NLB), a useful tool that was included only with the Advanced Server edition of
Windows 2000.
The Standard Edition of Windows Server 2003 supports up to 4 GB of RAM and
four-way SMP.
Lesson 1 The Windows Server 2003 Family 1-7
Enterprise Edition
The Enterprise Edition of Windows Server 2003 is designed to be a powerful server
platform for medium- to large-sized businesses. Its enterprise-class features include
support for eight processors, 32 GB of RAM, and eight-node clustering (including clus-
tering based on a Storage Area Network [SAN] and geographically dispersed clustering)
and availability for 64-bit Intel Itanium-based computers, on which scalability increases
to 64 GB of RAM and 8-way SMP.
Other features that distinguish the Enterprise Edition from the Standard Edition include:
■ Support for Microsoft Metadirectory Services (MMS), which enables the integration
of multiple directories, databases, and files with Active Directory.
■ Hot Add Memory, so that you can add memory to supported hardware systems
without downtime or reboot.
■ Windows System Resource Manager (WSRM), which supports the allocation of
CPU and memory resources on a per-application basis.
Datacenter Edition
The Datacenter Edition, which is available only as an OEM version as part of a high-
end server hardware package, provides almost unfathomable scalability, with support
on 32-bit platforms for 32-way SMP with 64 GB of RAM and on 64-bit platforms for 64-
way SMP with 512 GB of RAM. There is also a 128-way SMP version that supports two
64-way SMP partitions.
64-Bit Editions
Windows Server 2003 SP1 Enterprise Edition and Windows Server 2003 SP1, Datacenter
Edition, are available for computers running Intel Itanium processors. Windows Server
2003 Standard x64 Edition, Enterprise x64 Edition, and Datacenter x64 Edition were
released in 2005 and share a code base with Windows Server 2003 SP1, even though
the x64 editions are not designated as SP1. These editions run on processors that
include AMD Opteron, AMD Athlon 64, Intel Xeon, and Pentium with Intel EM64T.
Each of the x64 editions, but not the Itanium versions, is available in the Windows
Server 2003 R2 server family.
Windows Server 64-bit editions provide for higher CPU clock speeds and faster float-
ing-point processor operations than the 32-bit editions. CPU coding improvements and
processing enhancements yield significantly faster computational operations. Increased
access speed to an enormous memory address space allows for smooth operation of
complex, resource-intensive applications such as massive database applications, scien-
tific analysis applications, and heavily accessed Web servers.
1-8 Chapter 1 Introducing Microsoft Windows Server 2003
Some features of the 32-bit editions are not available in the 64-bit editions. Most nota-
bly, the 64-bit editions do not support 16-bit Windows applications, real-mode appli-
cations, POSIX applications, or print services for Apple Macintosh clients.
On the CD You can learn more about 64-bit editions by reading Benefits of Windows x64
and 64-Bit Computing with Windows Server 2003 on the CD-ROM accompanying this book.
Windows Small Business Server 2003
Windows Small Business Server 2003 (SBS 2003), also available in the SP1 and R2 prod-
uct lines, delivers an out-of-the-box solution for small businesses that includes file and
print services, e-mail (Microsoft Exchange Server 2003 and Microsoft Outlook), intranet
and Web services (Microsoft Windows SharePoint Services), group faxing (Microsoft
Shared Fax Service), and, in the premium edition, Internet proxy and firewall
(Microsoft ISA Server), database (Microsoft SQL Server 2000 and, in R2, SQL Server
2005 Workgroup Edition) and Web development (Microsoft Office FrontPage 2003).
The 70-290 certification exam does not address features unique to SBS 2003.
See Also You can learn more about Windows Small Business Server 2003 at
http://www.microsoft.com/windowsserver2003/sbs.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. You are planning the deployment of computers running Windows Server 2003 for
a department of 250 employees. The server will host the home directories and
shared folders for the department, and it will serve several printers to which
departmental documents are sent. Which edition of Windows Server 2003 will pro-
vide the most cost-effective solution for the department?
2. You are planning the deployment of computers running Windows Server 2003
for a new Active Directory domain in a large corporation that includes multiple
separate Active Directory installations maintained by each of the corporation’s
subsidiaries. The company has decided to roll out Exchange Server 2003 as a
Lesson 1 The Windows Server 2003 Family 1-9
unified messaging platform for all the subsidiaries and plans to use Microsoft
Metadirectory Services (MMS) to synchronize appropriate properties of objects
throughout the organization. Which edition of Windows Server 2003 will pro-
vide the most cost-effective solution for this deployment?
3. You are rolling out servers to provide Internet access to your company’s e-com-
merce application. You anticipate four servers dedicated to the front-end Web
application and one server for a robust, active SQL database. Which editions will
provide the most cost-effective solution?
Lesson Summary
■ Windows Server 2003 SP1 delivered important security enhancements to the fam-
ily of products.
■ Windows Server 2003 R2 adds a number of features to Windows Server 2003 SP1.
The Windows Server 2003 R2 installation consists of two CD-ROMs, the first of
which installs the Windows Server 2003 SP1 operating system and the second of
which installs the features new to R2.
■ Windows Server 2003 is available in 64-bit as well as 32-bit versions.
■ The primary distinctions among versions of Windows Server 2003 are the product
editions: Web Edition, Standard Edition, Enterprise Edition, and Datacenter Edition,
each of which supports a subset of features honed to a specific purpose.
■ Taken as a whole, Windows Server 2003 is an upgrade to Windows 2000. How-
ever, the feature and security improvements are significant, and you are likely to
find that particular upgrades provide critical enhancements for your particular
environment.
1-10 Chapter 1 Introducing Microsoft Windows Server 2003
Lesson 2: Installation and Configuration of Windows Server
2003 and Active Directory
The 70-290 examination focuses on the management and maintenance of a Windows
Server 2003 environment. The objectives of the exam focus very little attention on
Active Directory itself; some of the objectives, however, relate to the administration of
Active Directory objects: users, groups, computers, printers, and shared folders in par-
ticular. The chapters that follow will explain the examination objectives in detail, and
hands-on exercises will be an important component of your learning experience.
Those exercises require you to have configured a domain controller running Windows
Server 2003. If you are comfortable configuring a domain controller and creating basic
user, group, and computer accounts, you can skip this lesson. If you are less familiar
with Active Directory, this lesson will provide sufficient foundation for you to embark
on a full exploration of Windows Server 2003.
After this lesson, you will be able to
■ Install Windows Server 2003 SP1
■ Identify the key structures and concepts of Active Directory
■ Create a domain controller
■ Create Active Directory objects including users, groups, and organizational units (OUs)
Estimated lesson time: 60 minutes
Installing and Configuring Windows Server 2003
As an experienced IT professional, you have no doubt spent considerable time install-
ing Windows platforms. Some of the important and enhanced considerations when
installing Windows Server 2003 SP1 are
■ Bootable CD-ROM installation Most administrators first became accustomed
to installing an operating system by booting from the CD-ROM in the late 1990s.
Windows Server 2003 continues the trend, and can be installed directly from the
CD-ROM. But Windows Server 2003 adds a twist: there is no support for starting
installation from floppy disks.
■ Improved graphical user interface (GUI) during setup Windows Server
2003 uses a GUI during setup that resembles that of Windows XP. It communicates
more clearly the current state of the installation and the amount of time required
to complete installation.
■ Post-Setup Security Updates (PSSU) After installation of the operating sys-
tem, a server remains vulnerable to exploits discovered after SP1 was released.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-11
To mitigate this vulnerability, PSSU by default enables Windows Firewall to pre-
vent inbound connections until an administrator has applied currently available
high-priority security updates and has enabled Automatic Updates.
■ Product activation Retail and evaluation versions of Windows Server 2003
require that you activate the product. Volume licensing programs, such as Open
License, Select License, or Enterprise Agreement, do not require activation.
The specific steps required to install and configure Windows Server 2003 SP1 are out-
lined in Exercises 1 and 2.
After installing, updating, and activating Windows Server 2003, you can configure the
server using a well-thought-out Manage Your Server page, as shown in Figure 1-1, that
launches automatically at logon. The page facilitates the installation of specific services,
tools, and configurations based on server roles. Click Add Or Remove A Role and the
Configure Your Server Wizard appears.
f01nw01
Figure 1-1 The Manage Your Server page
If you select Domain Controller (Active Directory), the Configure Your Server Wizard
promotes the server to a domain controller in a new domain, installs Active Directory
services, and, if needed, Domain Name Service (DNS), Dynamic Host Configuration
Protocol (DHCP), and Routing And Remote Access (RRAS) service.
If you select Custom Configuration, the Configure Your Server Wizard can configure
the following roles:
■ File Server Provides convenient, centralized access to files and directories for
individual users, departments, and entire organizations. Choosing this option
allows you to manage user disk space by enabling and configuring disk quota
1-12 Chapter 1 Introducing Microsoft Windows Server 2003
management and to provide improved file system search performance by enabling
the Indexing service.
■ Print Server Provides centralized and managed access to printing devices by
serving shared printers and printer drivers to client computers. Choosing this option
starts the Add Printer Wizard to install printers and their associated Windows printer
drivers. It also installs Internet Information Services (IIS 6.0) and configures Internet
Printing Protocol (IPP) and installs the Web-based printer administration tools.
■ Application Server (IIS, ASP.NET) Provides infrastructure components
required to support the hosting of Web applications. This role installs and config-
ures IIS 6.0 as well as ASP.NET and COM+.
■ Mail Server (POP3, SMTP) Installs POP3 and SMTP so that the server can act as
an e-mail server for POP3 clients.
■ Terminal Server Provides applications and server resources, such as printers
and storage, to multiple users as if those applications and resources were installed
on their own computers. Users connect with the Terminal Services or Remote
Desktop clients. Unlike Windows 2000, Windows Server 2003 provides Remote
Desktop for Administration automatically. Terminal Server roles are required only
when hosting applications for users on a terminal server.
■ Remote Access/VPN Server Provides multiple-protocol routing and remote
access services for dial-in, local area networks (LANs) and wide area networks
(WANs). Virtual private network (VPN) connections allow remote sites and users
to connect securely to the network using standard Internet connections.
■ Domain Controller (Active Directory) Provides directory services to clients in
the network. This option configures a domain controller for a new or existing
domain and installs DNS. Choosing this option runs the Active Directory Installa-
tion Wizard.
■ DNS Server Provides host name resolution by translating host names to IP
addresses (forward lookups) and IP addresses to host names (reverse lookups).
Choosing this option installs the DNS service and then starts the Configure A DNS
Server Wizard.
■ DHCP Server Provides automatic IP addressing services to clients configured
to use dynamic IP addressing. Choosing this option installs DHCP services and
then starts the New Scope Wizard to define one or more IP address scopes in the
network.
■ Streaming Media Server Provides Windows Media Services (WMS). WMS
enables the server to stream multimedia content over an intranet or the Internet.
Content can be stored and delivered on demand or delivered in real time.
Choosing this option installs WMS.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-13
■ WINS Server Provides computer name resolution by translating NetBIOS names
to IP addresses. It is not necessary to install Windows Internet Name Service
(WINS) unless you are supporting legacy operating systems such as Windows 95
or Windows NT. Operating systems such as Windows 2000 and Windows XP do
not require WINS, although legacy applications on those platforms might very
well require NetBIOS name resolution. Choosing this option installs WINS.
To complete the hands-on exercises in this book, you will configure a computer as
Server01, acting as a domain controller in the domain contoso.com. The steps for con-
figuring the server as a domain controller using the Configure Your Server Wizard are
listed in Exercise 3 at the end of this lesson.
Active Directory
Many books have been devoted to the planning, implementation, and support of
Active Directory. If you are experienced with Active Directory, you will recognize that
the following discussion has been simplified solely because it would take many books
to discuss all the detail. The goal of this section is to distill that information to what you
should know to approach the 70-290 exam.
Networks, Directory Services, and Domain Controllers
Networks were created on the day when the first user decided he or she did not want to
walk down the hall to get something from another user. In the end, networks are all
about providing resources remotely. Those resources are often files, folders, and printers.
Over time those resources have come to include many things, most significantly, e-mail,
databases, and applications. There has to be some mechanism to keep track of these
resources, providing, at a minimum, a directory of users and groups so that the resources
can be secured against undesired access.
Microsoft Windows networks support two directory service models: the workgroup
and the domain. The domain model is by far the more common in organizations imple-
menting Windows Server 2003. The domain model is characterized by a single direc-
tory of enterprise resources—Active Directory—that is trusted by all secure systems
that belong to the domain. Those systems can therefore use the security principals
(user, group, and computer accounts) in the directory to secure their resources. Active
Directory thus acts as an identity store, providing a single trusted list of Who’s Who in
the domain.
Active Directory itself is more than just a database, though. It is a collection of support-
ing files that includes transaction logs and the system volume, or Sysvol, that contains
logon scripts and Group Policy information. It is the services that support and use the
database, including Lightweight Directory Access Protocol (LDAP), Kerberos security
protocol, replication processes, and the File Replication Service (FRS). The database
1-14 Chapter 1 Introducing Microsoft Windows Server 2003
and its services are installed on one or more domain controllers. A domain controller
is a server that has been promoted by running the Active Directory Installation Wizard
by running DCPROMO from the command line or, as you will do in Exercise 3, by run-
ning the Configure Your Server Wizard. Once a server has become a domain controller,
it hosts a copy, or replica, of Active Directory and changes to the database on any
domain controller are replicated to all domain controllers within the domain.
Domains, Trees, and Forests
Active Directory cannot exist without at least one domain, and vice versa. A domain is
the core administrative unit of the Windows Server 2003 directory service. However, an
enterprise might have more than one domain in its Active Directory. Multiple domain
models create logical structures called trees when they share contiguous DNS names.
For example contoso.com, us.contoso.com, and europe.contoso.com share contiguous
DNS namespace, and would therefore be referred to as a tree.
If domains in an Active Directory do not share a common root domain, they create
multiple trees. That leads you to the largest structure in an Active Directory: the forest.
An Active Directory forest includes all domains within that Active Directory. A forest
might contain multiple domains in multiple trees, or just one domain. When more than
one domain exists, a component of Active Directory called the Global Catalog becomes
important because it provides information about objects that are located in other
domains in the forest.
Objects and Organizational Units (OUs)
Enterprise resources are represented in Active Directory as objects, or records in the
database. Each object has numerous attributes, or properties, that define it. For exam-
ple, a user object includes the user name and password; a group object includes the
group name and a list of its members.
To create an object in Active Directory, open the Active Directory Users And Comput-
ers console from the Administrative Tools program group. Expand the domain to
reveal its containers and OUs. Right-click a container or OU and select New
object_type.
Active Directory is capable of hosting millions of objects, including users, groups, com-
puters, printers, shared folders, sites, site links, Group Policy Objects (GPOs), and even
DNS zones and host records. You can imagine that without some kind of structure,
accessing and administering the directory would be a nightmare.
Structure is the function of a specific object type called an organizational unit, or OU. OUs
are containers within a domain that allow you to group objects that share common admin-
istration or configuration. But they do more than just organize Active Directory objects.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-15
They provide important administrative capabilities because they provide a point at which
administrative functions can be delegated and to which group policies can be linked.
Delegation
Administrative delegation relates to the simple idea that you might want a front-line
administrator to be able to change the password for a certain subset of users. Each
object in Active Directory (in this case, the user objects) includes an access control list
(ACL) that defines permissions for that object, just as files on a disk volume have ACLs
that define access for those files. So, for example, a user object’s ACL will define what
groups are allowed to reset its password. It would get complicated to assign the front-
line administrator permissions to change each individual user’s password, so instead
you can put all of those users in a single OU and assign that administrator the reset
password permission on the OU. That permission will be inherited by all user objects
in the OU, thereby allowing that administrator to modify permissions for all users.
Resetting user passwords is just one example of administrative delegation. There are
thousands of combinations of permissions that could be assigned to groups adminis-
tering and supporting Active Directory. OUs allow an enterprise to create an active rep-
resentation of its administrative model and to specify who can do what to objects in the
domain.
Group Policy
OUs are also used to collect objects—computers and users—that are configured simi-
larly. Just about any configuration you can make to a system can be managed centrally
through a feature of Active Directory called Group Policy. Group Policy allows you to
specify security settings, deploy software, and configure operating system and applica-
tion behavior without ever touching a machine. You simply implement your configu-
ration within a GPO.
GPOs are collections of hundreds of possible configuration settings, from user logon
rights and privileges to the software that is allowed to be run on a system. A GPO is
linked to a container within Active Directory—typically to an OU, but can also be
domains, or even sites—and all the users and computers beneath that container are
affected by the settings contained in the GPO.
You will likely see Group Policy referred to on the 70-290 exam. The important things
to remember about Group Policy are that it is a tool that can centrally implement con-
figuration; that some settings apply to computers only and some settings apply to users
only; and that the only computers or users that will be affected by a policy are those
that are beneath the OU to which the policy is linked.
1-16 Chapter 1 Introducing Microsoft Windows Server 2003
Learning More
As suggested earlier in this section, Active Directory is a large and complex topic that
deserves significant examination if you are going to implement Windows Server 2003
as a domain controller. The following Microsoft Press titles are recommended reading:
■ Active Directory for Microsoft Windows Server 2003 Technical Reference
■ MCSE Self−Paced Training Kit (Exam 70− 294): Planning, Implementing, and
Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure,
Second Edition
Practice: Installing and Configuring Windows Server 2003 SP1
In this practice, you will configure a computer to run Windows Server 2003 SP1. You
will then promote the server to become a domain controller in the contoso.com
domain.
Exercise 1: Installing Windows Server 2003 SP1
This exercise should be performed on a computer compatible with Windows Server
2003 SP1. It assumes that the primary hard drive is completely empty. If your disk
already has partitions configured, you can modify the exercise to match the configura-
tion of your system.
1. Configure the computer’s BIOS or the disk controller BIOS to boot from the CD-
ROM. If you are not sure how to configure your computer or disk controller to
boot from the CD-ROM, consult your hardware documentation.
2. Insert the Windows Server 2003 SP1 installation CD-ROM into the CD-ROM drive
and start the computer.
Note Use the Windows Server 2003 R2 Evaluation Edition CD 1 included with this book to
install Windows Server 2003 SP1.
3. If the primary disk is not empty, a message appears prompting you to press any
key to boot from the CD. If you see this message, press any key.
After the computer starts, a brief message appears explaining that your system
configuration is being inspected, and then the Windows Setup screen appears.
4. If your computer requires special mass storage drivers that are not part of the
Windows Server 2003 driver set, press F6 when prompted and provide the
appropriate drivers.
5. The system prompts you to press F2 to perform an Automated System Recovery
(ASR). ASR is a new feature in Windows Server 2003 that replaces the Emergency
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-17
Repair Disk feature of previous versions of Windows, and is described in Chapter
13. Do not press F2 at this time. Setup will continue.
Notice that the gray status bar at the bottom of the screen indicates that the com-
puter is being inspected and that files are loading. This is required to start a min-
imal version of the operating system.
6. If you are installing an evaluation version of Windows Server 2003, the Setup Noti-
fication screen appears informing you of this. Read the Setup Notification mes-
sage, and then press ENTER to continue.
Setup displays the Welcome To Setup screen.
Notice that, in addition to the initial installation of the operating system, you can
use Windows Server 2003 Setup to repair a damaged Windows installation. The
Recovery Console is described in Chapter 13.
7. Read the Welcome To Setup message, and then press ENTER to continue.
Setup displays the License Agreement screen.
8. Read the license agreement, pressing PAGE DOWN to scroll to the bottom of the
screen.
9. Press F8 to accept the agreement.
Setup displays the Windows Server 2003 Setup screen, prompting you to select an
area of free space or an existing partition on which to install the operating system.
This stage of setup provides a way for you to create and delete partitions on your
hard disk.
To complete the exercises in this book, you will need to configure a partition large
enough to host the operating system installation (recommended minimum size is
3 GB) and unallocated space of at least 1 GB. The following steps assume your
disk is at least 4 GB in size and is currently empty. You may make adjustments to
accommodate your situation.
10. Press C to create a partition.
11. To create a 3-GB partition, type 3072 in the Create Partition Of Size (In MB) box
and press ENTER.
12. Confirm that your partitioning is similar to that shown in Figure 1-2. Again, the rec-
ommendations for the hands-on exercises is a C partition of at least 3 GB and
1 GB of unpartitioned space.
1-18 Chapter 1 Introducing Microsoft Windows Server 2003
f01nw02
Figure 1-2 Partitioning the hard drive for setup
13. Select C Partition1 [New (Raw)] and press ENTER to install.
You are prompted to select a file system for the partition.
14. Verify that the Format The Partition Using The NTFS File System option is selected,
and press ENTER to continue.
Setup formats the partition with NTFS, examines the hard disk for physical errors
that might cause the installation to fail, copies files to the hard disk, and initializes
the installation. This process takes several minutes.
Eventually, Setup displays a red status bar that counts down for 15 seconds before
the computer restarts and enters the GUI mode of the setup process.
15. After the text mode of setup has completed, the system restarts. Do not, when
prompted, press a key to boot to the CD-ROM.
Windows Setup launches and produces a graphical user interface that tracks the
progress of installation in the left pane. Collecting Information, Dynamic Update,
and Preparing Installation options are selected. Collecting Information was com-
pleted before the GUI appeared, and Dynamic Update is not used when starting
from the CD-ROM. The system is now Preparing Installation by copying files to the
local disk drive.
16. On the Regional And Language Options page, choose settings that are appropriate
for your language and text input requirements, and then click Next.
Tip You can modify regional settings after you install the operating system using Regional
And Language Options in Control Panel.
Setup displays the Personalize Your Software page, prompting you for your name
and organization name.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-19
17. In the Name text box, type your name; in the Organization text box, type the
name of an organization, and then click Next.
Setup displays the Your Product Key page.
18. Enter the product key included with your Windows Server 2003 SP1 installation
CD-ROM (Evaluation edition software CD 1), and then click Next.
Setup displays the Licensing Modes dialog box, prompting you to select a
licensing mode.
19. Verify that the Per Server Number Of Concurrent Connections option is 5, and
then click Next.
Caution Per Server Number Of Concurrent Connections and five concurrent connections
are suggested values to be used to complete your self-study. You should use a legal number
of concurrent connections based on the actual licenses that you own. You can also choose to
use Per Device Or Per User option instead of Per Server.
Setup displays the Computer Name And Administrator Password page.
Notice that Setup uses your organization name to generate a suggested name for
the computer. If you didn’t enter an organization name earlier in the installation
process, Setup uses your name to generate part of the computer name.
20. In the Computer Name text box, type Server01.
The computer name displays in all capital letters regardless of how it is entered.
Throughout the rest of this self-paced training kit, the practices refer to Server01.
Caution If your computer is on a network, check with the network administrator before
assigning a name to your computer.
21. In the Administrator Password text box and the Confirm Password text box, type
a complex password for the Administrator account (one that others cannot easily
guess). Remember this password because you will be logging on as Administrator
to perform most hands-on exercises.
Important In a manual installation, Windows Server 2003 will not let you progress to sub-
sequent steps until you enter an Administrator password that meets complexity require-
ments. You are allowed to enter a blank password, though this practice is strongly
discouraged.
If the server has a modem installed, you will be presented with the Modem Dialing
Information dialog box.
1-20 Chapter 1 Introducing Microsoft Windows Server 2003
22. Type your area code, and then click Next.
The Date And Time Settings page appears.
23. Type the correct Date & Time and Time Zone settings, and then click Next.
Important Windows Server 2003 services depend on the computer’s time and date set-
tings. Be sure to enter the correct time and date, and to select the correct time zone for your
location.
Setup installs networking, and then the Networking Settings page appears.
24. Select Typical Settings, and then click Next.
The Workgroup Or Computer Domain page appears.
25. Verify that the first option is selected and that the workgroup name is Workgroup,
and then click Next.
Setup installs and configures the remaining operating system components. When
the installation is complete, the computer restarts automatically and the Welcome
To Windows dialog box appears. You may continue with Exercise 2.
Exercise 2: Performing Post-installation Configuration of Windows Server 2003
SP1
Windows Server 2003 SP1 and Windows Server 2003 R2 increase the security and reli-
ability of a server by guiding you through the steps required to apply software updates
that Microsoft has released subsequent to SP1. This process is called Windows Server
Post-Setup Security Updates (PSSU). To further enhance security, Windows Firewall
blocks all inbound connections, other than those specifically opened during setup or
by policy settings. After PSSU is complete, Windows Firewall is disabled.
After Windows Server 2003 has completed booting and the Welcome To Windows dia-
log box has appeared, complete the following steps:
1. Press CTRL+ALT+DELETE to initiate logon and type the password you configured for
the Administrator account.
If you installed the system using the Evaluation edition software included with this
book or any other version of Windows Server 2003 R2, you will be prompted to
insert CD 2, which contains the new features of R2.
Important The practices in this book assume you have not installed R2 features. If you
choose to install R2 features, you might have to modify the steps in the practices.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-21
2. Click Cancel to complete setup without installing R2 features. Windows Setup will
remind you that you can complete the installation of R2 features by running
Setup2.exe from CD 2. Click OK.
Note Some editions of Windows Server 2003, including the Evaluation Edition provided
with this book, require that you activate the operating system after you install it. Activation
must occur within 14 days of installation. The activation process is simple and can be com-
pleted over the Internet or by telephone. If you acquire your license to use Windows Server
2003 through one of the Microsoft volume licensing programs, you are not required to acti-
vate the license.
3. Click the balloon that appears in the System tray to initiate activation of Windows
Server 2003. Follow the prompts.
Note To activate by Internet, you will have to connect Server01 to the network and you
might have to adjust the TCP/IP properties of your network interface card (NIC) to reflect an
appropriate IP address, subnet mask, default gateway, and DNS server address.
The Windows Server Post-Setup Security Updates page appears. You will follow
the instructions on the page.
4. Click Update This Server.
The Microsoft Windows Update site opens in Internet Explorer. Internet Explorer
prompts you that Microsoft Internet Explorer’s Enhanced Security Configuration is
currently enabled.
5. Click OK to acknowledge the Internet Explorer Enhanced Security Configuration
message.
An Internet Explorer Security Warning prompts you to install Windows Update.
6. Click Install.
7. Follow the prompts of the Windows Update Web site to install updates. The exact
steps will vary depending on the updates that have been released by Microsoft
since the release of SP1. Typically, choosing an Express update will enable you to
install high-priority updates, including security updates. Certain updates might
require you to restart the server.
8. Repeat steps 4–8 until Windows Update reports that there are no high-priority
updates remaining.
Note In a production environment, it is recommended that you update your system using
Microsoft Update (http://update.microsoft.com/microsoftupdate) rather than Windows
Update. The Microsoft Update site delivers updates to Windows Server 2003 as well as a
range of Microsoft applications and services, including SQL Server and Exchange Server.
1-22 Chapter 1 Introducing Microsoft Windows Server 2003
9. On the Windows Server Post-Setup Security Updates page, click Configure Auto-
matic Updating For This Server.
The System Properties dialog box appears, with the Automatic Updates tab selected.
10. Click Automatic.
11. Click OK.
12. On the Windows Server Post-Setup Security Updates page, click Finish.
Windows Server Post-Setup Security Updates prompts you to confirm that you
have downloaded and installed all available security updates.
13. Click Yes.
Windows Firewall will be disabled, allowing inbound connections. You may
enable and configure Windows Firewall by opening Windows Firewall from
Control Panel.
The Manage Your Server page appears. You may continue with Exercise 3.
Exercise 3: Configuring the Server
In this exercise, you will configure the server as the first domain controller in an Active
Directory domain called contoso.com.
Note When the Active Directory Installation Wizard is launched, the steps that it prompts
you to follow will differ based on whether it detects another domain on the network. The steps
presented below assume you are running the wizard on an isolated network. If you are con-
nected to a network with another domain, the steps might vary, and you may either modify
your choices appropriately or disconnect from the network prior to performing the exercise.
1. If it is not already open, open the Manage Your Server page from the Administra-
tive Tools program group.
2. Click Add Or Remove A Role. The Configure Your Server Wizard appears.
3. Click Next and the Configure Your Server Wizard detects network settings.
4. Click Domain Controller (Active Directory), and then click Next.
5. In Active Directory Domain Name, type contoso.com.
6. Verify that NetBIOS Domain Name reads CONTOSO and click Next.
7. Verify that the Summary Of Selections matches that shown in Figure 1-3 and
click Next.
The Configure Your Server Wizard reminds you that the system will restart and
asks you to close any open programs.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-23
f01nw03
Figure 1-3 Summary Of Selections
8. Click Yes.
9. After the system has restarted, log on as Administrator.
10. The Configure Your Server Wizard will summarize its final steps, as shown in
Figure 1-4.
f01nw04
Figure 1-4 The Configure Your Server Wizard
11. Click Next and then click Finish.
12. Open Active Directory Users And Computers from the Administrative Tools pro-
gram group. Confirm that you now have a domain called contoso.com by expand-
ing the domain and locating the computer account for Server01 in the Domain
Controllers OU.
1-24 Chapter 1 Introducing Microsoft Windows Server 2003
Lesson Review
1. Which of the following versions of Windows Server 2003 require product activa-
tion? (Choose all that apply.)
a. Windows Server 2003, Standard Edition, retail version
b. Windows Server 2003, Enterprise Edition, evaluation version
c. Windows Server 2003, Enterprise Edition, Open License version
d. Windows Server 2003, Standard Edition, Volume License version
2. What are the distinctions among a domain, a tree, and a forest in Active Directory?
3. Which of the following is true about setup in Windows Server 2003 SP1? (Choose
all that apply.)
a. Setup can be launched by booting to the CD-ROM.
b. Setup can be launched by booting to setup floppies.
c. Setup requires a nonblank password to meet complexity requirements.
d. Setup will allow you to enter all 1’s for the Product ID.
e. The server will not allow inbound connections until after PSSU has been
completed.
Lesson Summary
1. Windows Server 2003 retail and evaluation versions require product activation.
2. Windows Server 2003 SP1 Post-Setup Security Updates enables Windows Firewall
and, thereby, prevents inbound connections, until an administrator applies high-
priority security updates and enables Automatic Updates.
3. The Manage Your Server page and the Configure Your Server Wizard provide
helpful guidance to the installation and configuration of additional services based
on the desired server role.
4. Active Directory—the Windows Server 2003 directory service—is installed on a
server using the Active Directory Installation Wizard, which is launched using the
Configure Your Server Wizard or by running DCPROMO from the command line.
Chapter 1 Introducing Microsoft Windows Server 2003 1-25
Questions and Answers
Page Lesson 1 Review
1-8
1. You are planning the deployment of computers running Windows Server 2003 for
a department of 250 employees. The server will host the home directories and
shared folders for the department, and it will serve several printers to which
departmental documents are sent. Which edition of Windows Server 2003 will pro-
vide the most cost-effective solution for the department?
Windows Server 2003, Standard Edition, is a robust platform for file and print services in a
small to medium-sized enterprise or department.
2. You are planning the deployment of computers running Windows Server 2003 for a
new Active Directory domain in a large corporation that includes multiple separate
Active Directory installations maintained by each of the corporation’s subsidiaries.
The company has decided to roll out Exchange Server 2003 as a unified messaging
platform for all the subsidiaries, and plans to use Microsoft Metadirectory Services
(MMS) to synchronize appropriate properties of objects throughout the organization.
Which edition of Windows Server 2003 will provide the most cost-effective solution
for this deployment?
Windows Server 2003, Enterprise Edition, is the most cost-effective solution that supports
MMS. Standard and Web editions do not support MMS.
3. You are rolling out servers to provide Internet access to your company’s e-com-
merce application. You anticipate four servers dedicated to the front-end Web
application and one server for a robust, active SQL database. Which editions will
provide the most cost-effective solution?
Windows Server 2003, Web Edition, provides a cost-effective platform for the four Web applica-
tion servers. However, Web Edition will not support enterprise applications such as SQL Server;
the edition of MSDE included with Web Edition allows only 25 concurrent connections. There-
fore, Windows Server 2003, Standard Edition, provides the most cost-effective platform for a
SQL Server.
Page Lesson 2 Review
1-24
1. Which of the following versions of Windows Server 2003 require product activa-
tion? (Choose all that apply.)
a. Windows Server 2003, Standard Edition, retail version
b. Windows Server 2003, Enterprise Edition, evaluation version
c. Windows Server 2003, Enterprise Edition, Open License version
d. Windows Server 2003, Standard Edition, Volume License version
The correct answers are a and b.
1-26 Chapter 1 Introducing Microsoft Windows Server 2003
2. What are the distinctions among a domain, a tree, and a forest in Active Directory?
A domain is the core administrative unit in Active Directory. A forest is the scope of Active Direc-
tory. A forest must contain at least one domain. If a forest contains more than one domain,
domains that share a contiguous DNS namespace—meaning domains that have a common
root domain—create a tree. Domains that do not share contiguous DNS namespace create dis-
tinct trees within the forest.
3. Which of the following is true about setup in Windows Server 2003? (Choose all
that apply.)
a. Setup can be launched by booting to the CD-ROM.
b. Setup can be launched by booting to setup floppies.
c. Setup requires that a nonblank password meet default complexity requirements.
d. Setup will allow you to enter all 1’s for the Product ID.
e. The server will not allow inbound connections until after PSSU has been
completed.
The correct answers are a, c, and e.
2 Administering Microsoft
Windows Server 2003
Exam Objectives in this Chapter:
■ Manage servers remotely
❑ Manage a server by using Remote Assistance
❑ Manage a server by using Terminal Services remote administration mode
❑ Manage a server by using available support tools
■ Troubleshoot Terminal Services
❑ Diagnose and resolve issues related to Terminal Services security
❑ Diagnose and resolve issues related to client access to Terminal Services
Why This Chapter Matters
Microsoft Windows Server 2003 administrative tools, called snap− ins, enable you
to manage user accounts, modify computer software and service settings, install
new hardware, and perform many other tasks. The Microsoft Management Con-
sole (MMC) provides the framework within which these snap-ins operate.
Although the default consoles delivered with Windows Server 2003 contain one
or more snap-ins related to a single task, MMCs can be customized to fit the exact
needs of the administrator and the task at hand. Many MMC snap-ins also support
remote administration, allowing you to connect to and manage another computer
without requiring “sneaker net” (a physical visit to the other computer).
Windows Server 2003 provides several other important options for remote sys-
tems management. When you require more control than you can achieve using
the remote connection supported by MMC snap-ins, you can leverage Remote
Desktop For Administration and Remote Assistance. Remote Desktop For Admin-
istration opens a session that gives you complete control of a remote system as if
you were logged on locally at the computer’s console. Remote Desktop is akin to
“remote control” software such as PCAnywhere or Virtual Network Computer
(VNC), but it is fully integrated and supported with Microsoft Windows XP and
Windows Server 2003. Remote Assistance is used to connect to an existing session
on a remote computer, allowing you to view or even control what another user is
doing in that session. Remote Assistance is particularly useful for user support
scenarios, when you need to see and help a user.
2-1
2-2 Chapter 2 Administering Microsoft Windows Server 2003
Finally, Windows Server 2003 supports traditional Terminal Services functionality
so that multiple users can connect to and open sessions on a single server. Ter-
minal Services and the Remote Desktop client reduce the costs of support and
management because the installation and configuration of applications is per-
formed only once: on the terminal server itself. User desktops act as “terminals”
and require only an operating system and the Remote Desktop client. In fact,
users can connect to a terminal server using a hardware-based or software-based
thin client. This chapter will explore each of these options for administration and
support of local and remote systems.
Lessons in this Chapter:
■ Lesson 1: The Microsoft Management Console . . . . . . . . . . . . . . . . . . . . . . .2-3
■ Lesson 2: Managing Computers Remotely with the MMC . . . . . . . . . . . . . . . .2-9
■ Lesson 3: Managing Servers with Remote Desktop For Administration . . . . . 2-13
■ Lesson 4: Using Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
■ Lesson 5: Terminal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Before You Begin
To perform the practices related to the objectives in this chapter, you must have
■ A computer that has Windows Server 2003 installed and operating. To follow the
examples directly, your server should be named Server01 and function as a
domain controller in the contoso.com domain.
■ A configured and functioning Transmission Control Protocol/Internet Protocol
(TCP/IP) network to which your console and remote administrative target comput-
ers can connect (for administration of remote computers).
■ A second computer running Windows Server 2003, named Server02 and config-
ured as a member server in the contoso.com domain.
Lesson 1 The Microsoft Management Console 2-3
Lesson 1: The Microsoft Management Console
The administrative framework of Windows Server 2003 is the MMC. The MMC provides
a standardized, common interface for one or more tools, called snap-ins, that are spe-
cialized for individual tasks. The default administrative tools in Windows Server 2003
are MMCs with one or more snap-ins suited to a specific purpose. The Active Directory
Users And Computers administrative tool, for example, is an MMC with the Active
Directory Users And Computers snap-in.
After this lesson, you will be able to
■ Configure an MMC with individual snap-ins
■ Configure an MMC with multiple snap-ins
■ Save an MMC in Author or User mode
Estimated lesson time: 15 minutes
The MMC
The MMC provides a two-paned framework consisting of a console tree pane, also
called a scope pane, and a details pane. The MMC menus and a toolbar provide com-
mands for manipulating the parent and child windows, snap-ins, and the console itself.
Navigating the MMC
An empty MMC is shown in Figure 2-1. Note that the console has a name and that there
is a Console Root. This Console Root will contain any snap-ins that you choose to
include.
f02nw01
Figure 2-1 An empty MMC
2-4 Chapter 2 Administering Microsoft Windows Server 2003
Each console includes a console tree, console menu and toolbars, and the details pane.
The contents of these will vary, depending on the design and features of the snap-in
you use. Figure 2-2 shows a populated MMC with two snap-ins loaded.
f02nw02
Figure 2-2 A populated MMC
Using the MMC Menus and Toolbar
Although each snap-in will add its unique menu and toolbar items, there are several
key menus and commands that you will use in many situations that are common to
most snap-ins, as shown in Table 2-1.
Table 2-1 Common MMC Menus and Commands
Menu Commands
File Create a new console, open an existing console, add or remove snap-ins
from a console, set options for saving a console, the recent console file list,
and an exit command
Action Varies by snap-in but generally includes export, output, configuration, and
help features specific to the snap-in
View Varies by snap-in, but includes a customize option to change general console
characteristics
Favorites Allows for adding and organizing saved consoles
Window Open a new window, cascade, tile, and switch between open child windows
in this console
Help General help menu for the MMC as well as loaded snap-in help modules
Lesson 1 The Microsoft Management Console 2-5
Extending the MMC with Snap-Ins
Each MMC contains a collection of one or more tools called snap− ins. A snap-in
extends the MMC by adding specific management capability and functionality. There
are two types of snap-ins: stand-alone and extension.
Stand-Alone Snap-Ins
Stand− alone snap− are provided by the developer of an application. All administra-
ins
tive tools for Windows Server 2003, for example, are either single snap-in consoles or
consoles with a combination of snap-ins useful to a particular task. The File Server
Management console (Filesvr.msc), for example, contains snap-ins to facilitate the con-
figuration, monitoring, and optimization of file server storage and shares.
Extension Snap-Ins
Extension snap− ins, or extensions, are designed to work with one or more stand-alone
snap-ins. When you add an extension, Windows Server 2003 places the extension into
the appropriate location within the stand-alone snap-in.
Many snap-ins can act as a stand-alone snap-in or extend the functionality of other
snap-ins. For example, the Event Viewer snap-in can operate as a stand-alone snap-in,
as in the Event Viewer console, and is an available extension for the Computer Man-
agement snap-in.
Building a Customized MMC
You can combine one or more snap-ins to create customized MMCs, which you can
then use to consolidate the tools you require for administration.
To create a customized MMC:
1. Click Start, and then select Run.
2. In the Open text box, type mmc and then click OK. A blank MMC will appear.
3. Select the File menu, and then select Add/Remove Snap-In. The Add/Remove
Snap-In dialog box appears with the Standalone tab active. Note that no snap-ins
are loaded.
4. Click Add to display the Add Stand-alone Snap-In dialog box. Locate the snap-in
you want to add, and then click Add. Many snap-ins prompt you to specify
whether you wish to focus the snap-in on the local computer or another computer
on the network.
5. When you have added all the snap-ins you require, close the dialog boxes.
6. To save the customized MMC, select the File menu and then select Save.
2-6 Chapter 2 Administering Microsoft Windows Server 2003
Off the Record Spend a few minutes analyzing your daily tasks and group them by type of
function and frequency of use. Build two or three customized consoles that contain the tools
that you use most often. You will save quite a bit of time not needing to open, switch among,
and close tools as often.
Console Options
Console options determine how an MMC operates in terms of what nodes in the con-
sole tree may be opened, what snap-ins may be added, and what windows may be cre-
ated. You configure console options in the Options dialog box, which you can open by
clicking Options on the File menu.
Author Mode
When you save a console in Author mode, which is the default, you enable full access
to all of the MMC functionality, including:
■ Adding or removing snap-ins
■ Creating windows
■ Creating taskpad views and tasks
■ Viewing portions of the console tree
■ Changing the options on the console
■ Saving the console
User Modes
If you plan to distribute an MMC with specific functions, you can set the desired User
mode and then save the console. By default, consoles will be saved in the Administra-
tive Tools folder in the users’ profile. Table 2-2 describes the user modes that are avail-
able for saving the MMC.
Table 2-2 MMC User Modes
Type of User Mode Description
Full Access Allows users to navigate between snap-ins, open windows, and access all
portions of the console tree.
Limited Access, Prevents users from opening new windows or accessing a portion of the
Multiple Windows console tree but allows them to view multiple windows in the console.
Limited Access, Prevents users from opening new windows or accessing a portion of the
Single Window console tree and allows them to view only one window in the console.
Lesson 1 The Microsoft Management Console 2-7
Note MMCs, when saved, have an *.msc extension. Active Directory Users And Comput-
ers, for example, is named Dsa.msc (Directory Services Administrator.msc).
Tip Create administrative consoles for your administrators by saving customized consoles,
optionally in a restricted User mode, and distributing the resulting .msc files. Any snap-in
used in a custom console must be installed on the system. This means, for example, that you
must have installed the Windows Server 2003 administrative tools, Adminpak.msi, on a sys-
tem for a console with the Active Directory Users And Computers snap-in to function.
Practice: Building and Saving Consoles
In this practice, you will create, configure, and save an MMC.
Exercise 1: An Event Viewer Console
1. Click Start, and then click Run.
2. In the Open text box, type mmc, and then click OK.
3. Maximize the Console1 and Console Root windows.
4. From the File menu, choose Options to view the configured console mode.
In what mode is the console running?
5. Verify that the Console Mode drop-down list box is in Author mode, and then
click OK.
6. From the File menu, click Add/Remove Snap-In.
The Add/Remove Snap-In dialog box appears with the Standalone tab active. Note
that there are no snap-ins loaded.
7. In the Add/Remove Snap-In dialog box, click Add to display the Add Standalone
Snap-In dialog box.
8. Locate the Event Viewer snap-in, and then click Add.
The Select Computer dialog box appears, allowing you to specify the computer
you want to administer. You can add the Event Viewer snap-in for the local com-
puter on which you are working, or if your local computer is part of a network,
you can add Event Viewer for a remote computer.
9. In the Select Computer dialog box, select Local Computer, and then click Finish.
2-8 Chapter 2 Administering Microsoft Windows Server 2003
10. In the Add Standalone Snap-In dialog box, click Close, and then in the Add/Remove
Snap-Ins dialog box, click OK.
Event Viewer (Local) now appears in the console tree. You may adjust the width
of the console tree pane and expand any nodes that you want to view.
11. On your own, add a snap-in for Device Manager (local).
12. Save the MMC as MyEvents.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What is the default mode when creating an MMC?
2. Can a snap-in have focus on both the local computer and a remote computer
simultaneously?
3. If you want to limit the access of a snap-in, how do you construct the MMC that
contains the snap-in?
Lesson Summary
The MMC is a powerful framework for organizing and consolidating administrative
snap-ins. The hierarchical display, similar to that of Windows Explorer, offers a familiar
view of snap-in features in a folder-based paradigm. There are two types of snap-ins,
stand-alone and extension, with extensions appearing and behaving within the MMC
based on the context of their placement. Any console can be configured to work in
either of two modes, Author or User, with the User mode supporting various levels of
restricted functionality in the saved console.
Lesson 2 Managing Computers Remotely with the MMC 2-9
Lesson 2: Managing Computers Remotely with the MMC
In Lesson 1, you learned that you can build a customized MMC with snap-ins that are
focused on remote computers. In addition, many snap-ins allow you to change the
focus of the snap-in by right-clicking the snap-in in the console tree and choosing a
command such as Connect To Another Computer, Connect To Domain, Connect To
Domain Controller, and so forth. Using the MMC to remotely manage another system
(as shown in Figure 2–3) can save you the time and cost of a physical visit to the
computer.
f02nw03
Figure 2-3 Connecting to a user’s computer with the Computer Management console
After this lesson, you will be able to
■ Construct an MMC to manage a computer remotely
Estimated lesson time: 10 minutes
Setting Up the Snap-in for Remote Use
To connect to and manage another system using the Computer Management console,
you must launch the console with an account that has administrative credentials on the
remote computer. If your credentials do not have sufficient privileges on the target
computer, snap-ins will load, but they either will function in read-only mode or will not
display any information.
2-10 Chapter 2 Administering Microsoft Windows Server 2003
Tip You can use Run As, or secondary logon, to launch a console with credentials other
than those with which you are currently logged on.
When you’re ready to manage a remote system, you may open an existing console
with the appropriate snap-in loaded or configure a new MMC and configure the remote
connection when you add the snap-in. To remotely manage a system using the existing
Computer Management console, for example, follow these steps:
1. Open the Computer Management console by right-clicking My Computer and
choosing Manage from the shortcut menu.
2. Right-click Computer Management in the console tree and choose Connect To
Another Computer.
3. In the dialog box shown in Figure 2-4, type the name or IP address of the computer
or browse the network for the remote computer, and then click OK to connect.
f02nw04
Figure 2-4 Setting the Local/Remote Context for a snap-in
Once connected, you can perform administrative tasks on the remote computer.
When you connect to a remote system using the MMC, you connect using remote pro-
cedure calls (RPCs). If the remote system has Windows Firewall enabled, the default
firewall configuration will prevent inbound RPC traffic. To enable remote administra-
tion using the MMC, configure the firewall exception for remote administration. This
exception opens TCP ports 135 and 445 and adds program exceptions for Svchost.exe
and Lsass.exe to allow hosted services to open additional, dynamically assigned ports,
typically in the range of 1024 to 1034. It also enables a computer to receive unsolicited
incoming Distributed Component Object Model (DCOM) and RPC traffic.
To configure this exception, open the local or a domain-based Group Policy Object
(GPO) and navigate to the Computer Configuration, Administrative Templates, Net-
work, Network Connections, Windows Firewall node. Then open the Domain Profile,
which specifies firewall configuration when a system is connected to the domain. In
the details pane, double-click the Windows Firewall: Allow Remote Administration
Lesson 2 Managing Computers Remotely with the MMC 2-11
Exception policy setting. Enable the policy and specify the IP addresses from which
remote administration will be allowed.
For more information about working with GPOs, consult the Windows Help And Sup-
port Center and the online help in the Group Policy Management Console and the
Group Policy Object Editor consoles.
Practice: Adding a Remote Computer for Management (Optional)
Note This practice requires that you have a computer available for remote connection, and
that you have administrative privileges on that computer.
Exercise 1: Connecting Remotely with the MMC
In this exercise, you will modify an existing MMC to connect to a remote computer.
1. Open the saved MMC from the exercise in Lesson 1 (MyEvents).
2. From the File menu, click Add/Remove Snap-In.
3. In the Add/Remove Snap-In dialog box, click Add to display the Add Standalone
Snap-In dialog box.
4. Locate the Computer Management snap-in, and then click Add.
5. In the Computer Management dialog box, select Another Computer.
6. Type the name or IP address of the computer, or browse the network for it, and
then click Finish to connect.
7. Click Close in the Add Standalone Snap-In dialog box, and then click OK to load
the Computer Management snap-in to your MyEvents console.
You can now use the management tools to administer the remote computer.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What credentials are required for administration of a remote computer using
the MMC?
2-12 Chapter 2 Administering Microsoft Windows Server 2003
2. Can an existing MMC snap-in be changed from local to remote context, or must a
snap-in of the same type be loaded into the MMC for remote connection?
3. Are all functions within a snap-in used on a local computer usable when con-
nected remotely?
Lesson Summary
Many MMC snap-ins support the ability to connect either to the local computer or to
remote computers. You can establish the connection to a remote computer when the
snap-in is added to a console or after it is added by right-clicking an existing snap-in
and choosing Connect. You must have administrative privileges on the target system to
use snap-ins to manage a remote computer. In addition, if the Windows Firewall is
enabled, you must configure the exception for remote administration; otherwise,
inbound connections will be blocked.
Lesson 3 Managing Servers with Remote Desktop For Administration 2-13
Lesson 3: Managing Servers with Remote Desktop For
Administration
The Windows 2000 Server family introduced a tightly integrated suite of tools and tech-
nologies that enabled Terminal Services for both remote administration and application
sharing. The evolution has continued: Terminal Services is now an integral, default
component of the Windows Server 2003 family, and Remote Desktop has been
improved and positioned as an out-of-the-box capability, so that with one click, a com-
puter running Windows Server 2003 will allow two concurrent connections for remote
administration. By adding the Terminal Server component and configuring appropriate
licensing, an administrator can further extend the technologies to allow multiple users
to run applications on the server. In this lesson, you will learn how to enable Remote
Desktop For Administration.
After this lesson, you will be able to
■ Configure a server to enable Remote Desktop For Administration
■ Assign users to the appropriate group to allow them to administer servers remotely
■ Connect to a server using Remote Desktop For Administration Connection
Estimated lesson time: 15 minutes
Enabling and Configuring Remote Desktop For Administration
The Terminal Services service enables Remote Desktop, Remote Assistance, and Termi-
nal Server for application sharing. The service is installed by default on Windows
Server 2003 and configured to support Remote Desktop For Administration. Remote
Desktop For Administration allows only two concurrent remote connections and does
not include the application sharing components of Terminal Server. Therefore, Remote
Desktop For Administration operates with very little overhead on the system and with
no additional licensing requirements. You must install other components—Terminal
Server and the Terminal Server Licensing service—using Add Or Remove Programs.
Note Because Terminal Services and its dependent Remote Desktop For Administration are
default components of Windows Server 2003, every server has the capability to provide
remote connections to its console. The term “terminal server” now therefore refers specifi-
cally to a computer running Windows Server 2003 that provides application sharing to multi-
ple users through addition of the Terminal Server component. Terminal Server is discussed in
detail in Lesson 5.
2-14 Chapter 2 Administering Microsoft Windows Server 2003
All the administrative tools required to configure and support client connections and to
manage Terminal Services are installed by default on every computer running Windows
Server 2003. Each of the tools and their functions are described in Table 2-3.
Table 2-3 Default Components of Terminal Server and Remote Desktop
Installed Software Purpose
Terminal Services Setting properties on the Terminal Server, including session, network,
Configuration client desktop, and client remote control settings
Terminal Services Sending messages to connected Terminal Server clients, disconnecting
Manager or logging off sessions, and establishing remote control or shadowing
of sessions
Remote Desktop Client Installation of the Windows Server 2003 or Windows XP Remote Desk-
Installation Files top Client application. The 32-bit Remote Desktop client software can
be installed from %Systemroot%System32ClientsTsclientWin32 of
the Terminal Server.
Terminal Services Configuration of licenses for client connections to a terminal server.
Licensing This tool is not applicable for environments that use only Remote
Desktop For Administration.
To enable Remote Desktop connections on a computer running Windows Server 2003,
open the System properties from Control Panel. In the Remote tab, select Allow Users
To Connect Remotely To This Computer.
Note If the Terminal Server is a Domain Controller, you must also configure the Group Pol-
icy on the Domain Controller to allow connection through Terminal Services to the Remote
Desktop Users group. By default, Domain Controllers allow only members of the Administra-
tors group to log on using Terminal Services. Member servers will allow Terminal Services
connections by the Remote Desktop Users group by default.
Remote Desktop Connection
Remote Desktop Connection is the client-side software used to connect to a server in
the context of either Remote Desktop or Terminal Server modes. There is no functional
difference from the client perspective between Remote Desktop For Administration
and Terminal Server.
On computers running Windows XP and Windows Server 2003, Remote Desktop Con-
nection is installed by default, though it is not easy to find in its default location in the
All ProgramsAccessoriesCommunications program group on the Start menu.
Lesson 3 Managing Servers with Remote Desktop For Administration 2-15
For other platforms, Remote Desktop Connection can be installed from the Windows
Server 2003 CD or from the client installation folder (%Systemroot%System32Clients
TsclientWin32) on any computer running Windows Server 2003. The .msi-based
Remote Desktop Connection installation package can be distributed to Windows 2000
systems using Group Policy or SMS.
Tip It is recommended that you update previous versions of the Terminal Services client to
the latest version of Remote Desktop Connection. Doing so will provide the most efficient,
secure and stable environment possible through improvements such as a revised user inter-
face, 128-bit encryption, and alternate port selection.
Figure 2-5 shows the Remote Desktop client configured to connect to Server01 in the
contoso.com domain.
f02nw05
Figure 2-5 Remote Desktop client
Configuring the Remote Desktop Client
You can control many aspects of the Remote Desktop connection from both the client
and server sides. Table 2-4 lists configuration settings and their use. You manage client-
side configuration in the Remote Desktop Connection client. You configure server-side
settings using the Terminal Services Configuration console. The vast majority of server-
side settings are found within the Properties dialog box for the RDP-Tcp connection.
Any setting that conflicts between the configuration of the server and the client is
resolved using the server’s setting.
2-16 Chapter 2 Administering Microsoft Windows Server 2003
Table 2-4 Remote Desktop Settings
Setting Function
Client Settings
General Options for the selection of the computer to which connection should be
made, the setting of static log on credentials, and the saving of settings for
this connection.
Display Controls the size of the Remote Desktop client window, color depth, and
whether control-bar functions are available in full-screen mode.
Local Resources Options to bring sound events to your local computer, in addition to stan-
dard mouse, keyboard, and screen output. How the Windows key combi-
nations are to be interpreted by the remote computer (for example,
ALT+TAB), and whether local disk, printer, and serial port connections
should be available to the remote session.
Programs Set the path and target folder for any program you want to start, once the
connection is made.
Experience Categories of display functions can be enabled or disabled based on avail-
able bandwidth between the remote and local computers. Items include
showing desktop background, showing the contents of the window while
dragging, menu and window animation, themes, and whether bitmap
caching should be enabled (this transmits only the changes in the screen
rather than repainting the entire screen on each refresh period).
Server Settings
Logon Settings Static credentials can be set for the connection rather than using those
provided by the client.
Sessions Settings for ending a disconnected session, session limits and idle timeout,
and reconnection allowance can be made here to override the client set-
tings.
Environment Overrides the settings from the user’s profile for this connection for start-
ing a program upon connection. Path and target settings set here override
those set by the Remote Desktop Connection.
Permissions Allows for additional permissions to be set on this connection.
Remote Control Specifies whether remote control of a Remote Desktop Connection session
is possible, and if it is, whether the user must grant permission at the initi-
ation of the remote control session. Additional settings can restrict the
remote control session to viewing only, or allow full interactivity with the
Remote Desktop client session.
Client Settings Overrides settings, from the client configuration, controls color depth, and
disables various communication (I/O) ports.
Network Specifies which network cards on the server will accept Remote Desktop
Adapters For Administration connections.
General Sets the encryption level and authentication mechanism for connections to
the server.
Lesson 3 Managing Servers with Remote Desktop For Administration 2-17
Tip You may also establish connections for Remote Desktop For Administration using the
Remote Desktops snap-in or the Mstsc.exe command. Both of these clients support con-
necting to the console session (Session 0) of a server, which is identical to the session you
would receive if you logged on interactively to the server. A console session enables you to
perform actions that are restricted in other Remote Desktop For Administration sessions
(Sessions 1 or 2).
Terminal Services Troubleshooting
When using Remote Desktop For Administration, you are creating a connection to a
session running on the server. There are several potential causes of failed connections
or problematic sessions:
■ Network failures Errors in standard TCP/IP networking can cause a Remote
Desktop connection to fail or be interrupted. If DNS is not functioning, a client
might not be able to locate the server by name. If routing is not functioning, or the
Terminal Services port (by default, port 3389) misconfigured on either the client or
the server, the connection will not be established.
■ Firewall settings Remote Desktop and Terminal Services use TCP port 3389 by
default. Any firewall on the server, or between the server and the client, must keep
TCP port 3389 open. You may add the port as a port exception or enable the pre-
configured exception for Remote Desktop.
■ Credentials Users must belong to the Administrators or Remote Desktop
Users group to successfully connect to the server using Remote Desktop For
Administration.
! Exam Tip Examine group membership if access is denied when establishing a Remote
Desktop For Administration connection. In earlier versions of Terminal Server, you had to be a
member of the Administrators group to connect to the server, although special permissions
could be established manually. Now you can be a member of the Remote Desktop Users
groups on member servers and workstations. Domain controllers require you to be a member
of the Administrators group. In the “real world,” you can grant the right to log on through Ter-
minal Services to any user or group through Group Policy. You cannot increase the default
limit of two concurrent connections of Remote Desktop For Administration.
■ Policy Domain controllers will allow connections through Remote Desktop only
to administrators. You must configure the domain controller security policy to
allow connections for all other remote user connections.
■ Too many concurrent connections If sessions have been disconnected with-
out being logged off, the server might consider its concurrent connection limit
2-18 Chapter 2 Administering Microsoft Windows Server 2003
reached even though there are not two human users connected at the time. An
administrator might, for example, close a remote session without logging off. If
two more administrators attempt to connect to the server, only one will be allowed
to connect before the limit of two concurrent connections is reached. Use Terminal
Services Manager to view and log off any open, idle, and unnecessary sessions.
See Also For more on Terminal Services and the Remote Desktop client, see Lesson 5.
Practice: Installing Terminal Services and Running Remote
Administration
In this practice, you will configure Server01 to enable Remote Desktop For Administra-
tion connections. You will then optimize Server01 to ensure availability of the connec-
tion when the connection is not in use, and you will limit the number of simultaneous
connections to one. You then run a remote administration session from Server02 (or
another remote computer).
If you are limited to one computer for this practice, you can use the Remote Desktop
client to connect to Terminal Services on the same computer. Adjust references to a
remote computer in this practice to that of the local computer.
Exercise 1: Configure the Server for Remote Desktop
In this exercise, you will enable Remote Desktop connections, change the number of
simultaneous connections allowed to the server, and configure the disconnection set-
tings for the connection.
1. Log on to Server01 as Administrator.
2. Open the System properties from Control Panel.
3. On the Remote tab, enable Remote Desktop. Close System Properties.
4. Open the Terminal Services Configuration console from the Administrative Tools
folder.
5. On the tscc (Terminal Services ConfigurationConnections) MMC, right-click the
RDP-Tcp connection in the details pane, and then click Properties.
6. On the Network Adapter tab, change the Maximum Connections to 1.
7. On the Sessions tab, select both of the Override User Settings check boxes, and
make setting changes so that any user session that is disconnected, by any means,
or for any reason, will be closed in 15 minutes, that has no Active session time
limit, and that will be disconnected after 15 minutes of inactivity.
Lesson 3 Managing Servers with Remote Desktop For Administration 2-19
❑ End a disconnected session: 15 minutes
❑ Active session limit: never
❑ Idle session limit: 15 minutes
❑ When session limit is reached or connection is broken: Disconnect from session
This configuration will ensure that only one person at a time can be connected to
the Terminal Server, that any disconnected session will be closed in 15 minutes,
and that an idle session will be disconnected in 15 minutes. These settings are use-
ful to prevent a session that is disconnected or idle making the Remote Desktop
For Administration connection unavailable.
Exercise 2: Connect to the Server with the Remote Desktop Client
1. On Server02 (or another remote computer, or from Server01 itself if a remote com-
puter is not available), open Remote Desktop Connection (from the Accessories,
Communications program group) and connect to and log on to Server01.
2. On Server01, open the Tsadmin.exe (Terminal Services Manager) MMC. You
should see the remote session connected to Server01.
3. Leave the session idle for 15 minutes, or close the Remote Desktop client without
logging off the Terminal Server session, and the session should be disconnected
automatically in 15 minutes.
You have now logged on to Server01 remotely and can perform any tasks on the Server01
computer that you could accomplish while logged on interactively at the console.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. How many simultaneous connections are possible to a Terminal Server running in
Remote Administration mode? Why?
2. What would be the best way to give administrators the ability to administer a
server remotely through Terminal Services?
a. Don’t do anything; they already have access because they are administrators.
2-20 Chapter 2 Administering Microsoft Windows Server 2003
b. Remove the Administrators from the permission list on the Terminal Server
connection, and put their administrator account in the Remote Desktop For
Administration Group.
c. Create a separate, lower-authorization user account for Administrators to use
daily, and place that account in the Remote Desktop For Administration
Group.
3. What tool is used to enable Remote Desktop on a server?
a. Terminal Services Manager
b. Terminal Services Configuration
c. System properties in Control Panel
d. Terminal Services Licensing
Lesson Summary
Administrators and members of the Remote Desktop Users group have the ability to
connect to a server using Remote Desktop Connection. Terminal Services is installed
on Windows Server 2003 by default and allows up to two Remote Desktop For Admin-
istration connections simultaneously. The Remote Desktop Connection client, a default
component of Windows XP and Windows Server 2003, can be installed on any 32-bit
Windows platform from the Windows Server 2003 installation CD or (after sharing the
directory) from any computer running Windows Server 2003. Configuration of Remote
Desktop For Administration connections is accomplished through settings on the client
(Remote Desktop Connection) and server (Terminal Services Configuration). Key set-
tings for the connections can be overridden by the server.
Lesson 4 Using Remote Assistance 2-21
Lesson 4: Using Remote Assistance
Computer users, particularly users without much technical expertise, often have con-
figuration or usage issues that are difficult for a support professional or even a friend
or family member to diagnose and fix over the telephone. Remote Assistance provides
a way for users to get the help they need and makes it easier and less costly for cor-
porate help desks to assist their users.
After this lesson, you will be able to
■ Enable a computer to accept requests for Remote Assistance
■ Use one of the available methods to request and establish a Remote Assistance session
Estimated lesson time: 30 minutes
Introducing Remote Assistance
With Remote Assistance, available on Windows Server 2003 and Windows XP, an
administrator or support representative can connect remotely to a user’s computer, chat
with the user, and either view all the user’s activities or take control of the keyboard
and mouse.
Note In Microsoft interfaces and documentation, the person connecting to a client using
Remote Assistance is referred to as an expert or a helper.
Remote Assistance can eliminate the need for administrative personnel to travel to a
user’s location for any of the following reasons:
■ Technical support A system administrator or help desk operator can use
Remote Assistance to connect to a remote computer to modify configuration
parameters, install new software, or troubleshoot user problems.
■ Troubleshooting By connecting in Read-Only mode, an expert can observe a
remote user’s activities and determine whether improper procedures are the
source of problems the user is experiencing. The expert can also connect in inter-
active mode to try to re-create the problem or to modify system settings to resolve
it. This is far more efficient than trying to give instructions to inexperienced users
over the telephone.
■ Training Trainers and help desk personnel can demonstrate procedures to
users right on their systems without having to travel to their locations.
2-22 Chapter 2 Administering Microsoft Windows Server 2003
Configuring Remote Assistance
To receive remote assistance, the computer running Windows Server 2003 or Windows XP
must be configured to use the Remote Assistance feature in one of the following ways:
■ Using system properties Open System from Control Panel and click the Remote
tab. Then select the Turn On Remote Assistance And Allow Invitations To Be Sent
From This Computer check box.
Note By clicking the Advanced button in the Remote tab in the System Properties dialog
box, the user can specify whether to let the expert take control of the computer or simply view
activities on the computer. The user can also specify the amount of time that the invitation for
remote assistance remains valid.
■ Using group policies In a local or domain-based GPO, navigate to Computer
Configuration, Administrative Templates, System, Remote Assistance, and enable
the Solicited Remote Assistance policy.
Note The Solicited Remote Assistance policy also enables you to specify the degree of con-
trol the expert receives over the client computer, the duration of the invitation, and the
method for sending e-mail invitations.
Creating an Invitation for Assistance
To receive remote assistance, a client must issue an invitation and send it to a particular
expert. The client can send the invitation to the expert using Microsoft Windows Mes-
senger or e-mail, or he or she can send it as a file. Figure 2-6 shows the screen in Help
And Support Center used to invite someone for assistance.
Lesson 4 Using Remote Assistance 2-23
f02nw06
Figure 2-6 The Remote Assistance invitation screen in the Help And Support Center
Security Alert If the user chooses to send an e-mail or file request for Remote Assis-
tance, a password will be required as a shared secret for the Remote Assistance session.
The user should set a strong password and let the expert know what the password is in a
separate communication such as a telephone call or secure e-mail.
To use the Windows Messenger service for your Remote Assistance connection, you
must have the expert’s Windows Messenger user name in your contact list. Windows
Messenger will display the expert’s status as online or offline. Figure 2-7 illustrates
making a request for Remote Assistance using Windows Messenger.
f02nw07
Figure 2-7 Making a request for Remote Assistance
Note The indicator of online status in the Remote Assistance help window is not dynamic;
you must therefore refresh the screen to see an accurate status update.
2-24 Chapter 2 Administering Microsoft Windows Server 2003
For a successful request through e-mail, both computers must be using a Messaging
Application Programming Interface (MAPI)–compliant e-mail client.
As a third option, you can save the invitation as a file and transfer that file to the expert
through removable storage media or as an e-mail attachment, in which case the
requirement for MAPI e-mail clients is removed.
When a user initiates an invitation for Remote Assistance, the client sends an encrypted
ticket based on XML to the expert, who is prompted to accept the invitation.
Accepting an Invitation for Assistance
On accepting an invitation to provide Remote Assistance, the expert can begin to con-
nect to the remote computer. The user is notified that the expert is establishing a con-
nection and is prompted to confirm the Remote Assistance session. Then the expert is
able to view the remote computer’s session directly. The expert and user can chat
online to solve the user’s problem and files can be transferred. If the expert requests
control, and if configuration allows the expert to take control, the user is again
prompted to confirm the request.
Note Remote Assistance does not provide a mechanism through which administrators can
“spy” on a user session. Any connection by the expert must be confirmed by the user.
Offering Remote Assistance to a User
You can also configure Remote Assistance so that you can initiate troubleshooting
without receiving an invitation from the user. This highly useful option enables support
personnel to initiate Remote Assistance sessions while responding to a user’s help desk
call without requiring the user to send an invitation.
To support this workflow, you must enable the Offer Remote Assistance Local Group
Policy setting on the target (user’s) local computer. The policy setting is located in the
Computer Configuration, Administrative Templates, System, Remote Assistance con-
tainer and is labeled Offer Remote Assistance. Enable the policy and specify the indi-
vidual user accounts for the helpers who are allowed to offer Remote Assistance
without first receiving an invitation. Enter the accounts in the form domainusername
and be sure that the helpers are members of the local Administrators group on com-
puters to which they will establish Remote Assistance connections.
Tip The Offer Remote Assistance policy enables you to specify the names of users or
groups that can function as experts and choose whether those experts can perform tasks or
just observe.
Lesson 4 Using Remote Assistance 2-25
A helper can now initiate Remote Assistance to a user’s computer, providing that the
credentials supplied match those of a helper defined in the target computer’s policy. To
offer remote assistance without an invitation, open the Help And Support Center, click
Tools, and then click Help And Support Center Tools. Next, click Offer Remote Assis-
tance. Figure 2-8 illustrates the Help And Support Center Tools interface. Type the
name or IP address of the target computer and then click Connect. If several users are
logged on, choose a user session. Then click Start Remote Assistance.
f02nw08
Figure 2-8 The Help And Support Center Tools
The user receives a pop-up box showing that the help desk person is initiating a
Remote Assistance session. The user accepts the offer of assistance, and Remote Assis-
tance can proceed.
Securing Remote Assistance
Because an expert offering remote assistance to another user can perform virtually any
activity on the remote computer that the local user can, this feature can be a significant
security hazard. An unauthorized user who takes control of a computer using Remote
Assistance can cause almost unlimited damage. However, Remote Assistance is
designed to minimize the dangers. Some protective features of Remote Assistance are
the following:
■ Invitations No person can connect to another computer using Remote Assis-
tance unless that person has received an invitation from the client. Clients can
configure the effective life spans of their invitations in minutes, hours, or days to
prevent experts from attempting to connect to the computer later.
■ Interactive connectivity When an expert accepts an invitation from a client
and attempts to connect to the computer, a user must be present at the client
2-26 Chapter 2 Administering Microsoft Windows Server 2003
console to grant the expert access. You cannot use Remote Assistance to connect
to an unattended computer.
■ Client-side control The client always has ultimate control over a Remote
Assistance connection. The client can terminate the connection at any time by
pressing the ESC key or by clicking Stop Control (ESC) in the client-side Remote
Assistance page.
■ Remote control configuration Using the System Properties dialog box or
Remote Assistance group policies, users and administrators can specify whether
experts are permitted to take control of client computers. An expert who has read-
only access cannot modify the computer’s configuration in any way using Remote
Assistance. The group policies also enable administrators to grant specific users
expert status so that no one else can use Remote Assistance to connect to a client
computer, even with the client’s permission.
Firewall Constraints to Remote Assistance
Remote Assistance runs on top of Terminal Services technology, which means it must
use the same port used by Terminal Services: TCP port 3389. Remote Assistance will
not work when outbound traffic from port 3389 is blocked. In addition, other excep-
tions must be made. In Windows XP, the Windows Firewall has a preconfigured excep-
tion for Remote Assistance that you can enable. To configure the exceptions on
Windows Server 2003 or using Group Policy, enable the following exceptions:
■ TCP Port 135
■ %WINDIR%SYSTEM32Sessmgr.exe
■ %WINDIR%PCHealthHelpCtrBinariesHelpsvc.exe
■ %WINDIR%PCHealthHelpCtrBinariesHelpctr.exe
In addition, there are several other firewall-related concerns, particularly in relation to
Network Address Translation (NAT).
■ Remote Assistance supports Universal Plug and Play (UPnP) to Traverse Network
Address Translation devices. This is helpful on smaller, home office networks, as
Windows XP Internet Connection Sharing (ICS) supports UPnP. However, Windows
2000 ICS does not support UPnP.
! Exam Tip Watch for questions that use Windows 2000 ICS for remote assistance from a
big, corporate help desk to a small satellite office. Because Windows 2000 ICS does not sup-
port UPnP, Remote Assistance problems will abound.
■ Remote Assistance will detect the Internet IP address and TCP port number on the
UPnP NAT device and insert the address into the Remote Assistance encrypted
Lesson 4 Using Remote Assistance 2-27
ticket. The Internet IP address and TCP port number will be used to connect
through the NAT device by the helper or requester workstation to establish a
Remote Assistance session. The Remote Assistance connection request will then
be forwarded to the client by the NAT device.
■ Remote Assistance will not connect when the requester is behind a non-UPnP NAT
device when e-mail is used to send the invitation file. When sending an invitation
using Windows Messenger, a non-UPnP NAT device will work if one client is
behind a NAT device. If both the helper and requester computers are behind non-
UPnP NAT devices, the Remote Assistance connection will fail.
If you are using a software-based personal firewall or NAT in a home environment, you
can use Remote Assistance with no special configurations.
Note The Windows Messenger Service itself relies upon port 1863 being open.
Practice: Using Remote Assistance through Windows Messenger
This practice requires either a partner or a second computer for establishing the
Remote Assistance session. Server01 and Server02 should have Windows Messenger
installed and configured with two distinct accounts. If you are limited to a single com-
puter for this practice, you may establish a Remote Assistance session using two sepa-
rate Windows Messenger accounts configured on the same computer, but you will not
be able to perform screen control.
1. From Server02 (or another computer), open Windows Messenger and log on to
your Messenger Account #2.
2. From the Windows Messenger logged on as Messenger Account #1, choose Ask
For Remote Assistance from the Actions menu.
3. In the Ask for Remote Assistance dialog box, choose the Messenger Account #2,
and then click OK.
4. There will now be a sequence of requests and acknowledgments between the two
Windows Messenger Applications. Choose Accept or OK in each query to estab-
lish the Remote Assistance session.
5. Initially, the Remote Assistance session is in Screen View Only mode. To take con-
trol of the novice’s computer, you must select Take Control at the top of the
Remote Assistance window. The novice user must Accept your attempt to take
over the computer.
Note Either the novice or expert can end control or disconnect the session at any time.
2-28 Chapter 2 Administering Microsoft Windows Server 2003
Whether or not the expert takes over the novice’s computer, screen view, file transfer,
and live chat are enabled.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. How is Remote Assistance like Remote Desktop For Administration? How is it
different?
2. What are the benefits of Remote Assistance?
3. Which of the following are firewall-related constraints relating to Remote Assistance?
a. Port 3389 must be open
b. NAT cannot be used
c. Internet Connection Sharing is not possible
d. You cannot use Remote Assistance across a Virtual Private Network (VPN)
Lesson Summary
Remote Assistance is a mutual arrangement: the user can ask an expert for help or, if
properly configured through Group Policy, the expert can initiate a help session. In
either case, the user must actively agree to the establishment of the session and can
always give to and remove control of the user’s desktop from the expert. At no time
can the expert take control of the user’s desktop unannounced. Remote Assistance is
built upon Terminal Services and uses the interface of the help system and Windows
Messenger to allow for session initiation, chat, screen viewing, screen control, and file
transfer. The technology of Terminal Services and Remote Assistance is so closely tied
that both services use the same network port, 3389, which must be open through any
firewall for the Remote Assistance session to succeed.
Lesson 5 Terminal Server 2-29
Lesson 5: Terminal Server
In Lesson 3, you learned how to use Terminal Services, specifically Remote Desktop
For Administration, to connect to a server session from a remote client. You learned
that Remote Desktop For Administration is installed on every server running Windows
Server 2003 by default and that, once it is enabled using the System application in Con-
trol Panel, a server will support two concurrent connections from users who belong to
the Rem3ote Desktop Users group.
Windows Server 2003 Terminal Services also supports providing applications to multi-
ple users running concurrent sessions. This feature, similar to the Terminal Services
Application Server mode of Windows 2000 Server, is now called Terminal Server. In
this lesson, you will learn about Terminal Server and the unique issues related to sup-
porting and troubleshooting a Terminal Server environment.
After this lesson, you will be able to
■ Install Terminal Server to support multiuser applications
■ Deploy the Remote Desktop Connection client
■ Configure and manage remote desktop sessions
■ Troubleshoot Terminal Server
Estimated lesson time: 30 minutes
Installing and Configuring a Terminal Server Environment
There are several key considerations related to the deployment of a Terminal Server
environment.
The Terminal Server Component
Terminal Server can be installed by using the Add/Remove Windows Components Wiz-
ard, which is found in Add/Remove Programs, or by choosing the Configure Your
Server Wizard from the Manage Your Server page. It is best practice to configure stand-
alone member servers as terminal servers, not as domain controllers. Hardware recom-
mendations can be found in the Help And Support Center.
Applications
Because applications on a terminal server will be provided to multiple users, perhaps
concurrently, certain registry keys, files, and folders must be installed on a terminal
server differently from how they would be installed on a server that is not a terminal
server. Always use the Add/Remove Programs tool in Control Panel to install an applica-
tion on a terminal server. Add/Remove Programs will automatically switch the terminal
2-30 Chapter 2 Administering Microsoft Windows Server 2003
server into installation mode prior to starting the application’s setup routine. While in
installation mode, the terminal server manages the configuration of the application
appropriately so that the application can run in multiuser mode.
Occasionally, an application, patch, or other installation-related process cannot be ini-
tiated by using Add/Remove Programs. For example, a vendor might provide an
online update capability for its application, and such a capability cannot be started
from Add/Remove Programs. In such cases, open the command shell and use the
Change User/Install command prior to invoking the installation or patch process.
Once the process has completed, use the Change User/Execute command. Also note
that some applications require compatibility scripts to modify their installation behav-
ior on a terminal server.
It is best practice to install Terminal Server prior to installing any applications that will
be run in multiuser mode. Similarly, prior to removing Terminal Server from a server,
you should uninstall all applications that were installed in multiuser mode. If you must
install additional applications on an existing terminal server, be sure to reset (log off)
any current user sessions using Terminal Server Connections and to disable new con-
nections by typing change logon /disable on the command line. Once applications
have been installed, type change logon /enable on the command line to allow new
connections once again. The Remote tab of System Properties, shown in Figure 2-9,
will also allow you to enable and disable Terminal Services connections.
F02nw09
Figure 2-9 The Remote tab of System Properties
When installing Terminal Server, you will be given the choice of Full Security and
Relaxed Security. Full Security, the default, protects certain operating system files, reg-
istry keys, and shared program files. Older applications might not function in this more
secure configuration, at which point you might choose Relaxed Security. The setting
can be changed at any time using the Server Settings in the Terminal Services Config-
uration console, shown in Figure 2-10.
Lesson 5 Terminal Server 2-31
F02nw10
Figure 2-10 Server Settings in the Terminal Services Configuration console
Many administrators misunderstand the use of the Terminal Services Home Folder. This
setting, which can be configured as part of the user account, as shown in Figure 2-11,
or through Group Policy, determines the location of a folder that is used by Terminal
Services to store user-specific files for multiuser applications. It does not affect the stor-
age location for user data files. By default, the Terminal Services Home Folder is cre-
ated as a folder called Windows in the user’s profile. To manage where user data is
stored, configure the user’s standard Home Folder setting in the Profile tab of the user
account, or use the best practice of redirecting the My Documents folder.
F02nw11
Figure 2-11 The Terminal Services Home Folder setting of a user account
Installation of the Remote Desktop Connection Client
The Remote Desktop Connection client (Mstsc.exe) is installed by default on all comput-
ers running Windows Server 2003 and Windows XP. The client supports all 32-bit Win-
dows platforms, and can be installed with Group Policy on Windows 2000 systems, or
with other software deployment methods on earlier platforms. Once installed, the client
can be tricky to locate in the Start menu. Look in the Accessories program group under
Accessories, and then create a shortcut to the client in a more accessible location.
2-32 Chapter 2 Administering Microsoft Windows Server 2003
Licensing
After a 120-day evaluation period, connections to a computer running Terminal Server
will not be successful unless the terminal server can obtain a client license from a Ter-
minal Server License Server. Therefore, as part of your Terminal Server deployment,
you must install a Terminal Server License Server, preferably on a server that is not a
terminal server.
Use Add/Remove Programs to install Terminal Server Licensing. You will be asked
whether the server should be an Enterprise License Server or a Domain License Server.
An Enterprise License Server is the most common configuration, and the server can
provide licenses to terminal servers in any Windows 2000 or Windows Server 2003
domain within the forest. Use a Domain License Server when you want to maintain a
separate license database for each domain or when terminal servers are running in a
workgroup or a Microsoft Windows NT 4 domain.
Once installed, Terminal Server Licensing is managed with the Terminal Server Licens-
ing console in Administrative Tools. The first task you will perform is activating the Ter-
minal Server License Server by right-clicking the Terminal Server License Server and
choosing Activate Server. Once the server has been activated, client license packs must
be installed. The Help And Support Center includes detailed instructions for this pro-
cess. Terminal Server Licensing supports two types of client access licenses (CALs): Per
Device and Per Session. Both types of CALs can be managed by the same Terminal
Server License Server.
Note Terminal Server Licensing is maintained separately from server and client access
licenses (CALs) for Windows Server 2003. Terminal Server CALs are licenses for the connec-
tion to a user session on a terminal server; you must still consider licensing requirements for
applications that users access within their session. Consult the applications’ End User
License Agreements (EULAs) to determine appropriate licensing for applications hosted on a
terminal server.
Managing and Troubleshooting Terminal Server
Several tools exist that can configure terminal servers, Terminal Services user settings,
Terminal Services connections, and Terminal Services sessions. These include Group
Policy Editor, Terminal Services Configuration, Active Directory Users And Computers,
and the Remote Desktop Connection client itself. This section will help you understand
the use of each tool, and the most important configuration settings, by examining the
creation, use, and deletion of a user session.
Lesson 5 Terminal Server 2-33
Points of Administration
There are several processes that occur as a user connects to a terminal server; and at
each step, there are opportunities to configure the behavior of the connection.
The Remote Desktop Connection client allows 32-bit Windows platforms to connect to
a terminal server using the Remote Desktop Protocol (RDP). The client has been greatly
improved over earlier versions of the Terminal Services client and now includes a wider
variety of data redirection types (including file system, serial port, printer, audio, and
time zone) and supports connections in up to 24-bit color. The client includes numer-
ous settings that configure the connection and the user’s experience. Some of those set-
tings are shown in Figure 2-12. Settings are saved Remote Desktop Connection (.rdp)
files that can easily be opened for future connections or distributed to other users as a
connection profile. Settings in the .rdp file or the Remote Desktop Connection client
affect the current user’s connection to the specified terminal server.
F02nw12
Figure 2-12 The Remote Desktop Connection client
When a user connects to a terminal server, the server will examine the Terminal Ser-
vices properties of the user’s account to determine certain settings. If Terminal Services
user accounts are stored on the terminal server, the Local Users and Groups snap-in
will expose Terminal Services settings in the Properties of user accounts. More com-
monly, user accounts are in Active Directory directory service, in which case the Active
Directory Users And Computers snap-in exposes Terminal Services settings in the Envi-
ronment, Remote Control, and Terminal Services Profile tabs within the user properties
dialog box, as shown previously in Figure 2-11. Settings in the user account will over-
ride settings in the Remote Desktop client.
A client connects to the terminal server by specifying the server’s name or IP address.
The terminal server receives the connection request through the specified network
adapter. This connection is represented by a connection object, which is visible in the
2-34 Chapter 2 Administering Microsoft Windows Server 2003
Terminal Services Configuration console, as shown in Figure 2-13. The connection
object’s properties configure settings that affect all user connections through the net-
work adapter. Settings in the connection will override client requested settings and set-
tings in the user account.
F02nw13
Figure 2-13 Terminal Services Configuration
! Exam Tip A terminal server’s RDP-Tcp connection properties, accessible through Terminal
Services Configuration, will override client and user account settings for all user sessions
through the connection on that individual terminal server.
Windows Server 2003 Group Policy includes numerous computer-based and user-
based policies to control Terminal Services. Configurations specified by GPOs will
override settings in the Remote Desktop Connection client, in the user account, or on
the RDP-Tcp connections of terminal servers. Of course, those settings will apply only
to the users or computers within the scope of the organizational unit (OU) to which the
GPO is linked. In an environment consisting only of terminal servers running one of
the Windows Server 2003 family operating systems, Group Policy will enable Terminal
Services configuration with the least administrative effort. Terminal Services group poli-
cies do not apply to terminal servers running earlier versions of Windows.
Once a user session has been enabled, the Terminal Services Manager administrative
tool can be used to monitor users, sessions, and applications on each terminal server.
Terminal Services Manager can also be used to manage the server and to connect to,
disconnect from, or reset user sessions or processes.
Before continuing the examination of Terminal Server configuration options and tools,
take a moment to memorize the order of precedence for configuration settings:
1. Computer-level group policies. Most Terminal Services configuration can be set by
GPOs linked to an OU in which terminal server computer objects are created.
These policies override settings made with any other tool.
Lesson 5 Terminal Server 2-35
2. User-level group policies.
3. Configuration of the terminal server or the RDP-Tcp connection using the Terminal
Services Configuration tool. Although this tool is server- and connection-specific,
and therefore cannot specify a single configuration as Group Policy can, this tool
can configure Windows 2000 terminal servers. In addition, there are times when a
configuration between terminal servers or between connections should be differ-
ent. Terminal Services Configuration is the tool to manage such a scenario.
4. User account properties configured with the Active Directory Users And Comput-
ers snap-in.
5. Remote Desktop Connection client configuration.
Connection Configuration
A user’s ability to connect and log on to a terminal server is determined by a number
of factors, each of which, if not functioning properly, produces a unique error message:
■ The connection on the terminal server must be accessible. If the client cannot
reach the server using TCP/IP, or if the terminal server’s RDP-Tcp connection is
disabled, a particularly uninformative error message appears that indicates that the
client cannot connect to the server.
Note If you use Windows Firewall, or any other firewall, be sure to open TCP port 3389.
Windows Firewall includes a preconfigured exception for Remote Desktop that performs the
same configuration.
■ Remote Desktop must be enabled. The ability of a terminal server to accept new
connections can be controlled in the Remote tab of the System properties dialog
box or by using the change logon /disable and change logon /enable commands.
If logon has been disabled, an error message appears indicating that terminal
server sessions are disabled or that remote logons are disabled.
■ The server must have available connections. The properties of the connection—
the default RDP-Tcp connection, for example—determine the number of available
connections in the Network Adapter tab, as shown in Figure 2-14. If sufficient con-
nections are not available, an error message appears that indicates that a network
error is preventing connection.
2-36 Chapter 2 Administering Microsoft Windows Server 2003
F02nw14
Figure 2-14 The Network Adapter tab of the RDP-Tcp Properties dialog box
■ Encryption must be compatible. The default allows any client to connect to a ter-
minal server without regard to its encryption capability. If you modify the encryp-
tion requirements for a connection by using the Encryption Level list in the
General tab of the connection properties, as shown in Figure 2-15, clients that are
not capable of that encryption mode will not be allowed to connect.
F02nw15
Figure 2-15 The General tab of the RDP-Tcp Properties dialog box
■ The user must have sufficient connection permissions. As shown in Figure 2-16,
the Remote Desktop Users group has User Access permissions, which gives the
group sufficient permissions to log on to the server. The access control list (ACL)
of the connection can be modified to control access in configurations that differ
from the default. Refer to the Help And Support Center for more information. If a
user does not have sufficient permission to the connection, an error message will
appear that indicates that the user does not have access to the session.
Lesson 5 Terminal Server 2-37
F02nw16
Figure 2-16 The Permissions tab of the RDP-Tcp Properties dialog box
■ The user must have the user logon right to log on to the terminal server. Windows
Server 2003 separates the right required to log on locally to a server from the right
required to log on to a server using a remote desktop connection. The user rights
Allow Log On Through Terminal Services, as shown in Figure 2-17, and Deny Log
On Through Terminal Services can be used to manage this right, using either local
policy or Group Policy. On member servers, the local Administrators and Remote
Desktop Users groups have the right to log on through Terminal Services. On
domain controllers, only Administrators have the right by default. If a user does
not have sufficient logon rights, an error message will appear that indicates that
the policy of the terminal server does not allow logon.
F02nw17
Figure 2-17 The Allow Log On Through Terminal Services user right
■ The user must belong to the correct group or groups. Assuming you have man-
aged connection permissions and the right to log on through Terminal Services by
assigning rights and permissions to a group, the user attempting to connect to the
terminal server must be in that group. With the default configuration of Terminal
2-38 Chapter 2 Administering Microsoft Windows Server 2003
Server on a member server, users must be members of the Remote Desktop Users
group to connect to a terminal server.
■ The Allow Logon To Terminal Server check box must be selected. The user
account’s Terminal Services Profile tab, as shown in Figure 2-11, indicates that the
user is allowed to log on to a terminal server. If this setting is disabled, the user
will receive an error message indicating that the interactive logon privilege has
been disabled. This error message is easy to confuse with insufficient user logon
rights; however, in that case the error message indicates that the local policy of the
server is not allowing logon.
Note A terminal server has one RDP-Tcp connection by default and can have only one con-
nection object per network adapter, but if a terminal server has multiple adapters, you can
create connections for those adapters. Each connection maintains properties that affect all
user sessions connected to that server connection.
Device Redirection
Once a user has successfully connected, Windows Server 2003 and the Remote Desk-
top client provide a wide array of device redirection options, including:
■ Audio redirection, which allows audio files played within the Terminal Server ses-
sion to be played by the user’s PC. This feature is specified on the Local Resources
tab of the Remote Desktop Connection client, as shown in Figure 2-12. However,
audio redirection is disabled by default in the Client Settings tab of the RDP-Tcp
Properties dialog box, as shown in Figure 2-18. Audio redirection can be specified
by a GPO.
F02nw18
Figure 2-18 The RDP-Tcp Properties dialog box Client Settings tab
■ Drive redirection, which allows the user to access drives that are local to the user’s
PC from within the Remote Desktop session. Local drives are visible in My Com-
Lesson 5 Terminal Server 2-39
puter under the Other group, as shown in Figure 2-19. This option is disabled by
default, and can be enabled in the Local Resources tab of the Remote Desktop cli-
ent. Terminal Server Configuration can override the client setting and disable drive
redirection from the properties of the connection. These settings can also be spec-
ified by Group Policy. The user account’s Connect Client Drives At Logon setting
does not affect drive redirection using the Remote Desktop Connection client; it is
meant to manage drive redirection for Citrix’s Integrated Computing Architecture
(ICA) clients.
F02nw19
Figure 2-19 My Computer in a Remote Desktop session showing redirected client drives
■ Printer redirection, which allows the user to access printers that are local to the
user’s workstation, as well as network printers that are installed on the user’s
workstation, from within the Remote Desktop session. The Printers And Faxes
folder will display printers that are installed on the terminal server as well as the
client’s redirected printers, as shown in Figure 2-20.
F02nw20
Figure 2-20 The Printers And Faxes folder shows a client’s redirected printer
Like drive redirection, printer redirection is specified in the Local Resources tab of
the Remote Desktop Connection client. Printer redirection can be disabled by
properties of the RDP-Tcp connection. Printer redirection will also be disabled if
2-40 Chapter 2 Administering Microsoft Windows Server 2003
the Connect Client Printers At Logon setting is not enabled in the user account
properties, as shown in Figure 2-21. Selecting this option in the user account does
not cause printer redirection; the client must specify redirection in the Local
Resources tab. But if disabled, the user account setting will override the client set-
ting. The user account properties also provide a Default To Main Client Printer set-
ting which, if enabled while printer redirection is in effect, will set the default
printer in the Remote Desktop session to the same printer set as default on the
user’s workstation. If the Default To Main Client Printer setting is disabled, the
Remote Desktop session will use the default printer of the terminal server com-
puter. Printer redirection settings can be specified by a GPO.
F02nw21
Figure 2-21 The Environment tab of a user’s properties dialog box
■ Serial Port redirection, which allows a user to launch an application within a ter-
minal server session that uses a device, such as a barcode reader, attached to the
serial port of the user’s workstation. This feature is also in the Local Resources tab
of the client and can be disabled in the properties of the RDP-Tcp connection.
Serial port redirection can be specified by a GPO.
■ LPT and COM port mapping, which allows a user to install a printer within the
Terminal Server session that maps to a printer attached to an LPT or COM port on
the user’s workstation. This method of printer redirection is not necessary with
Windows Server 2003 and the Remote Desktop Connection client, which support
printer redirection in a much simpler way as described above. LPT and COM port
mapping is, however, still done by default. The RDP-Tcp connection properties
can disable port mapping, as can a GPO.
■ Clipboard mapping, which allows the user to copy and paste information between
a Remote Desktop session and the client’s workstation. This feature is enabled by
default in the Remote Desktop Connection client and cannot be changed within
the client’s user interface (UI). The RDP-Tcp connection properties can disable
clipboard mapping, as can a GPO.
Lesson 5 Terminal Server 2-41
Managing Sessions and Processes
The Terminal Services Manager console provides the capability to monitor and control
sessions and processes on a terminal server. You can disconnect, log off, or reset a user
or session, send a message to a user, or end a process launched by any user. Task Man-
ager can also be used to monitor and end processes; just be certain to select the Show
Processes From All Users check box. If a terminal server’s performance is lethargic, use
Terminal Server Manager or Task Manager to look at the processes being run by all
users to determine if one process has stopped responding and is consuming more than
its fair share of processor time.
Managing User Sessions
A variety of settings determine the behavior of a user session that has been active, idle,
or disconnected for a time. These settings can be configured in the Sessions tab of the
RDP-Tcp Properties dialog box in the Terminal Services Configuration console, shown
in Figure 2-22. The settings can also be configured with Group Policy.
F02nw22
Figure 2-22 The Sessions tab of the RDP-Tcp Properties dialog box
Load-Balancing Terminal Servers
In previous implementations of Terminal Services, it was difficult to load-balance ter-
minal servers. Windows Server 2003 Enterprise and Datacenter Editions introduce the
ability to create server clusters, which are logical groupings of terminal servers. When
a user connects to the cluster, the user is directed to one server. If the user’s session is
disconnected and the user attempts to reconnect, the terminal server receiving the con-
nection will check with the Session Directory to identify which terminal server is host-
ing the disconnected session and will redirect the client to the appropriate server.
2-42 Chapter 2 Administering Microsoft Windows Server 2003
To configure a terminal server cluster, you need
■ A load-balancing technology such as Network Load Balancing (NLB) or DNS
round-robin. The load-balancing solution will distribute client connections to each
of the terminal servers.
■ A Terminal Services Session Directory. You must enable the Terminal Services Ses-
sion Directory, which is installed by default on Windows Server 2003 Enterprise and
Datacenter Editions, using the Services console in Administrative Tools. It is best
practice to enable the session directory on a server that is not running Terminal
Server. The Terminal Services Session Directory maintains a database that tracks
each user session on servers in the cluster. The computer running the session direc-
tory creates a Session Directory Computers local group, to which you must add the
computer accounts of all servers in the cluster.
■ Terminal server connection configuration. Finally, you must direct the cluster’s
servers to the session directory. This process involves specifying that the server is
part of a directory, the name of the session directory server, and the name for the
cluster, which can be any name you wish as long as the same name is specified for
each server in the cluster. These settings can be specified in the Server Settings
node of Terminal Server Configuration, or they can be set using a GPO applied to
an OU that contains the computer objects for the cluster’s terminal servers.
When a user connects to the cluster, the following process occurs:
1. When the user logs on to the terminal server cluster, the terminal server receiving
the initial client logon request sends a query to the session directory server.
2. The session directory server checks the username against its database and sends
the result to the requesting server as follows:
❑ If the user has no disconnected sessions, logon continues at the server host-
ing the initial connection.
❑ If the user has a disconnected session on another server, the client session is
passed to that server and logon continues.
❑ When the user logs on to a new or disconnected session, the session directory
is updated.
! Exam Tip Be sure to know the pieces that are required to establish a terminal server clus-
ter. Should you decide to implement a terminal server cluster within your enterprise, you can
refer to the Help And Support Center for detailed instructions for doing so.
Lesson 5 Terminal Server 2-43
Remote Control
Terminal Server allows an administrator to view or take control of a user’s session. This
feature not only allows administrators to monitor user actions on a terminal server, but
also acts like Remote Assistance, allowing a help desk employee to control a user’s ses-
sion and perform actions that the user is able to see as well.
To establish remote control, both the user and the administrator must be connected to
terminal server sessions. The administrator must open the Terminal Server Manager
console from the Administrative tools group, right-click the user’s session, and choose
Control. By default, the user will be notified that the administrator wishes to connect to
the session and can accept or deny the request.
Important Remote Control is available only when using Terminal Server Manager within a
terminal server session. You cannot establish remote control by opening Terminal Server
Manager on your PC.
Remote control settings include the ability to remotely view and remotely control a ses-
sion, as well as whether the user should be prompted to accept or deny the adminis-
trator’s access. These settings can be configured in the user account properties in the
Remote Control tab, as shown in Figure 2-23, and can be configured by the properties
of the RDP-Tcp connection, which will override user account settings. Group Policy
can also be used to specify remote control configuration.
F02nw23
Figure 2-23 The Remote Control tab of a user’s properties dialog box
In addition to enabling remote control settings, an administrator must have permissions
to establish remote control over the terminal server connection. Using the Permissions
2-44 Chapter 2 Administering Microsoft Windows Server 2003
tab of the RDP-Tcp Properties dialog box, you can assign the Full Control permission
template or, by clicking Advanced, assign the Remote Control permission to a group, as
shown in Figure 2-24.
F02-24
Figure 2-24 The Remote Control permission
See Also For more information about implementing Terminal Server in a production envi-
ronment, be sure to read Microsoft Windows Server 2003 Terminal Services by Bernhard
Tritsch (Microsoft Press, 2004).
Practice: Preparing Terminal Server
In this practice, you will install Terminal Server on Server02, configure a user account
to enable Terminal Server logon, and configure device redirection. To perform this
practice, you will need a second computer installed with Windows Server 2003, named
Server02, and belonging to the contoso.com domain.
Exercise 1: Installing Terminal Server
1. Log on to Server02.
2. Open Add/Remove Programs from Control Panel.
3. Click Add/Remove Windows Components to open the Windows Components
Wizard.
4. Select the Terminal Server check box.
A Configuration Warning appears, reminding you that the Internet Explorer
Enhanced Security Configuration will restrict users’ Web access.
5. Click Yes, and then click Next.
A message appears discussing the installation of applications on a terminal server.
Lesson 5 Terminal Server 2-45
6. Click Next, ensure that Full Security is selected, and then click Next.
7. On the Terminal Server Setup page, select I Will Specify A License Server Within
120 Days, and then click Next.
8. Select Per User Licensing Mode and click Next.
The Configuring Components page appears while Terminal Server is installed.
9. Click Finish.
10. Restart Server02.
Exercise 2: Configuring Terminal Server Users
1. Log on to Server01 as Administrator.
2. Open Active Directory Users And Computers.
3. Create a user account in the Users container named Lorrin Smith-Bates.
You might already have an account for Lorrin Smith-Bates if you have worked
through lessons in other chapters. Write down the username and password
assigned to this account; you will be logging on as Lorrin Smith-Bates in the next
exercise.
4. Create a global security group account in the Users container named Contoso Ter-
minal Server Users.
5. Add Lorrin Smith-Bates to the Contoso Terminal Server Users group.
6. Add the Contoso Terminal Server Users group to the Print Operators group.
Because Lorrin is a user, he would not be able to log on to Server01, a domain
controller. For the purposes of this practice, Lorrin needs the right to log on locally
to Server01, and nesting his account in the Print Operators group is an easy way
to achieve that goal.
7. Log off of Server01.
8. Log on to Server02 as Administrator.
9. Click Start, right-click My Computer, and choose Manage.
10. Expand the Local Users And Groups snap-in in the console tree.
11. Select the Groups node.
12. Double-click Remote Desktop Users in the details pane.
13. Add the Contoso Terminal Server Users group as a member.
Exercise 3: Logging On to Terminal Server with Device Redirection
1. Log on to Server01 as Lorrin Smith-Bates.
2-46 Chapter 2 Administering Microsoft Windows Server 2003
2. Open Remote Desktop Connection from the All ProgramsAccessoriesCommuni-
cations program group.
3. In the Computer box, type server02.contoso.com and click Connect.
4. In the Remote Desktop session, log on to Server02 as Lorrin Smith-Bates.
5. Open My Computer and note that the drives shown are the drives on Server02.
6. In the Remote Desktop session, log off Server02.
7. Open Remote Desktop Connection again and click the Options button.
8. Click the Local Resources tab, select the Disk Drives check box, and click Connect.
9. A Security Warning appears. Click OK.
10. In the Remote Desktop session, log on to Server02 as Lorrin Smith-Bates.
11. Open My Computer, and note that you now see the drives on Server01 in the
group called Other.
12. In the Remote Desktop session, log off of Server02.
13. Do not log off of Server01. Log directly on to Server02 as Administrator.
14. On Server02, open the Terminal Services Configuration console from the Admin-
istrative Tools folder.
15. Select Connections in the console tree.
16. Double-click RDP-Tcp in the details pane.
17. In the Client Settings tab, select the Drive Mapping check box, and click OK to
close the RDP-Tcp Properties dialog box.
18. On Server01, still logged on as Lorrin, open Remote Desktop Connection.
19. Ensure that server02.contoso.com is entered as the computer and, in the Local
Resources tab, that the Disk Drives check box is still selected.
20. Click Connect, and log on to Server02 as Lorrin Smith-Bates. Click OK to close the
Security Warning message box.
21. Open My Computer.
Local drives are no longer redirected. The setting you configure in the properties
of the RDP-Tcp connection overrides client settings.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
Lesson 5 Terminal Server 2-47
1. You have enabled Remote Desktop connections on Server02, a member server in
the contoso.com domain. Terminal Server is installed on Server02. You want
Danielle Tiedt to be able to connect using the Remote Desktop Connection client.
What additional configuration must first be performed on Server02?
2. You have enabled Remote Desktop connections on Server01, a domain controller
in the contoso.com domain. Terminal Server is installed on Server01. You want
Terry Adams to be able to connect using the Remote Desktop Connection client.
Terry is a member of the Remote Desktop Users group on Server01. What addi-
tional configuration must first be performed for Terry to successfully connect?
3. Name three locations where you can configure Terminal Server settings that will
override settings on the Remote Desktop Connection client.
Lesson Summary
■ Terminal Server provides applications in a multiuser environment. Those appli-
cations must be installed using Add Or Remove Programs or the Change User
command.
■ For a user to successfully connect, Remote Desktop connections must be enabled
on the server, the server’s connection (for example, the RDP-Tcp connection) must
allow connections for a group to which the user belongs, the user must be in a
group that is granted the right Allow Logon Through Terminal Services, and the
user account must Allow Logon To Terminal Server. On a member server, all the
appropriate permissions are configured by default for the Remote Desktop Users
group, so you must simply enable Remote Desktop connections and add the user
to that group.
■ A domain controller’s security policy does not, by default, grant the Allow Logon
Through Terminal Services user right.
■ Various Terminal Server settings can be configured on the client, in the user
account, on the connection, or on the server. Most of these settings can addition-
ally be configured through Group Policy for terminal servers running Windows
Server 2003.
2-48 Chapter 2 Administering Microsoft Windows Server 2003
■ Windows Server 2003 and the Remote Desktop Connection client support device
redirection including audio devices, printers, and disks.
■ To load-balance terminal servers, you must configure a load-balancing technology
such as NLB or DNS round-robin, enable the Terminal Services Session Directory
on a server, add computer accounts for the servers to the directory server’s Session
Directory Computers local group, and configure the servers to belong to the clus-
ter through Terminal Server Configuration or Group Policy.
You can monitor and remotely control a user’s Terminal Services session by connecting
to the terminal server with the Remote Desktop Connection client, opening Terminal
Server Manager, right-clicking the user session, and choosing Remote Control.
Case Scenario Exercise
As part of the remote administration of your enterprise, your company has enabled
Remote Assistance on each computer. Your sales representatives travel frequently and
use laptops to perform their work while they travel.
On your internal network, you use Windows Messenger for spontaneous communica-
tion with your clients, and for Remote Assistance. However, you disallow Instant Mes-
senger traffic across the Internet by closing port 1863 at the firewall.
You want to perform Remote Assistance for your remote users, but cannot connect to
them with Windows Messenger to determine whether they are online.
Is Remote Assistance possible for your remote users? If so, how would you accomplish it?
Troubleshooting Lab
You are trying to connect to a server running Windows Server 2003 in your environ-
ment with a Remote Desktop Connection but consistently get the message shown in
Figure 2-25 when attempting to connect.
f02nw25
Figure 2-25 Error Logon Message when connecting to the Remote Desktop For Administration console
Lesson 5 Terminal Server 2-49
You have checked settings on the server and confirmed the following:
■ You are a member of the Remote Desktop Users group.
■ You are not a member of the Administrators group.
■ You are able to connect to share points on the computer running Terminal Server,
and the computer responds affirmatively to a ping.
What other settings will you check on the computer running Terminal Server to trou-
bleshoot this problem?
Chapter Summary
■ MMCs are the common, system tool interface in Windows Server 2003.
■ Snap-ins are individual tools that can be loaded into an MMC.
■ Some snap-ins can be used to configure remote computers; others are limited to
local computer access.
■ MMCs can be saved in either Author (full access) or User (limited access) modes.
The mode of an MMC does not empower or disable a user from being able to do
that which he or she has authorization and access to do through permission sets.
■ Remote Desktop For Administration allows for the same administration of a server
from a remote location as if logged on to the local console interactively.
■ Remote Desktop For Administration, for desktop operating systems, is available
only with Windows XP.
■ Remote Assistance is like Remote Desktop For Administration for the desktop,
allowing remote viewing and control of Windows XP desktop computers.
■ Remote Assistance will also work on a computer running Windows Server 2003.
■ Two users are required for Remote Assistance to be viable: one user at the target
desktop, and the expert helper at another computer. Both must agree on the con-
trol actions taken during the session, and the session can be ended by either party
at any time.
2-50 Chapter 2 Administering Microsoft Windows Server 2003
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice and review the “Further Reading” sections in Part 2 for pointers to more informa-
tion about topics covered by the exam objectives.
Key Points
■ MMCs are the containers for snap-ins.
■ Snap-ins can be used in either local or remote context but cannot be connected to
both the local and remote computers simultaneously.
■ Snap-ins can be combined in a single console to suit administrative preference.
■ MMCs can be saved in User mode to restrict their configuration, but the ability to
perform tasks with the tool is governed by permissions, not by limitations placed
on a particular MMC. If a user has sufficient privilege to administer a computer, the
user can create MMCs with any snap-in.
■ Remote Desktop For Administration requires permissions to attach with the Remote
Desktop client. By default, this permission is granted only to Administrators.
■ Remote Assistance is a two-way, agreed session. At no time can an expert take
unauthorized control of a user’s computer.
■ Port 3389, the same port used by Remote Desktop For Administration, must be
open at the firewall for Remote Assistance sessions to be established.
Key Terms
Remote Assistance vs. Remote Desktop For Administration Remote Assistance
allows a remote control session to be established from an expert user as invited by
a novice user. The credentials for authentication are supplied in the form of a
shared secret password created within the invitation by the novice. Remote Desk-
top For Administration involves only one user connected remotely to a computer
running the Terminal Server service and configured to allow Remote Desktop con-
nections by the user.
Microsoft Management Console (MMC) Remote Desktop For Administration Cre-
dentials and server configuration required for Remote Desktop For Administration
connections.
Questions and Answers 2-51
Questions and Answers
Page Lesson 1 Review
2-8
1. What is the default mode when you create an MMC?
The default mode for an MMC is Author mode.
2. Can a snap-in have focus on both the local computer and a remote computer
simultaneously?
No. Snap-ins can be configured to connect to the local computer, or a remote computer, but not
both simultaneously.
3. If you want to limit the access of a snap-in, how do you construct the MMC that
contains the snap-in?
Save the console in one of the User modes, depending on the level of limitation you want.
Page Lesson 2 Review
2-11
1. What credentials are required for administration of a remote computer using the
MMC?
You must have administrative credentials on the remote computer to perform remote
administration.
2. Can an existing MMC snap-in be changed from local to remote context, or must a
snap-in of the same type be loaded into the MMC for remote connection?
A snap-in’s context might be changed by accessing the properties of the snap-in. A snap-in does
not have to be reloaded to change its configuration.
3. Are all functions within a snap-in used on a local computer usable when con-
nected remotely?
No, not all functionality is available. The Device Manager component in the Computer Manage-
ment snap-in, for example, can be used only to view remote computer configurations; no
changes can be made to the remote computer’s device configuration.
Page Lesson 3 Review
2-19
1. How many simultaneous connections are possible to a Terminal Server running in
Remote Administration mode? Why?
Three; two remote connections and one at the console (but that’s not fair, is it?). Technically,
then, two is the limit because the application-sharing components are not installed with Termi-
nal Server configured in Remote Desktop mode for remote administration.
2. What would be the best way to give administrators the ability to administer a
server remotely through Terminal Services?
2-52 Chapter 2 Administering Microsoft Windows Server 2003
a. Don’t do anything; they already have access because they are administrators.
b. Remove the Administrators from the permission list on the Terminal Server
connection, and put their administrator account in the Remote Desktop For
Administration Group.
c. Create a separate, lower-authorization user account for Administrators to use
daily, and place that account in the Remote Desktop For Administration Group.
The correct answer is c. It is a best practice to log on using an account with minimal creden-
tials, then to launch administrative tools with higher-level credentials using Run As.
3. What tool is used to enable Remote Desktop on a server?
a. Terminal Services Manager
b. Terminal Services Configuration
c. System properties in Control Panel
d. Terminal Services Licensing
The correct answer is c.
Page Lesson 4 Review
2-28
1. How is Remote Assistance like Remote Desktop For Administration? How is it
different?
Remote Assistance allows for remote control of a computer as if the user were physically at the
console, as does a connection to a Terminal Server through Remote Desktop For Administration.
Remote Desktop For Administration is controlled solely by the directory of accounts, either local
or domain, that is configured for the Terminal Server connections on that computer. Remote
Assistance requires a “handshake” of sorts between the user and the expert helper.
2. What are the benefits of Remote Assistance?
The user does not have to have an expert on site to receive assistance. The difficulty of solving
a problem over the telephone is removed.
3. Which of the following are firewall-related constraints relating to Remote Assistance?
a. Port 3389 must be open.
b. NAT cannot be used.
c. Internet Connection Sharing is not possible.
d. You cannot use Remote Assistance across a Virtual Private Network (VPN).
The correct answer is a.
Page Lesson 5 Review
2-46
1. You have enabled Remote Desktop connections on Server02, a member server in
the contoso.com domain. Terminal Server is installed on Server02. You want
Questions and Answers 2-53
Danielle Tiedt to be able to connect using the Remote Desktop Connection client.
What additional configuration must first be performed on Server02?
Add Danielle Tiedt to the local Remote Desktop Users group on Server02.
2. You have enabled Remote Desktop connections on Server01, a domain controller
in the contoso.com domain. Terminal Server is installed on Server01. You want
Terry Adams to be able to connect using the Remote Desktop Connection client.
Terry is a member of the Remote Desktop Users group on Server01. What addi-
tional configuration must first be performed for Terry to successfully connect?
Configure a GPO, such as the Default Domain Controllers GPO, so that the user right Allow
Logon Through Terminal Services is configured and assigned to the Remote Desktop Users
group.
3. Name three locations where you can configure Terminal Server settings that will
override settings on the Remote Desktop Connection client.
The properties of user objects in Active Directory, the properties of the terminal server connec-
tion (for example, RDP-Tcp connection), and Terminal Services group policies.
Page Case Scenario Exercise
2-48
Is Remote Assistance possible for your remote users? If so, how would you accomplish it?
You must use one of the alternate methods of requesting Remote Assistance.
■ The E-Mail Method Send an e-mail to the expert through Help And Support Tools. When the
expert accesses the link in the e-mail, the expert will be able to establish a Remote Assis-
tance session.
■ File Method Create a Remote Assistance file through Help And Support Tools. E-mail the
file to the expert, or have the expert access it through a file share point. When the expert
accesses the link within the file, the expert will be able to establish a Remote Assistance
session.
In both methods, it is highly recommended that you create a password for the Remote Assis-
tance session, and give the expert the password in a secure fashion so that your Remote
Assistance session cannot be accessed by an unauthorized person.
Page Troubleshooting Lab
2-48
What other settings will you check on the computer running Terminal Server to trou-
bleshoot this problem?
It is likely that the Terminal Server in question is a domain controller, and that the Default
Domain Controller Group Policy has not been enabled to allow remote connections by the
Remote Administrative Users group. The Local Group Policy on domain controllers forbids non-
administrator remote connections, and must be changed. The easiest way to change the Local
Policy is to override it with a change to the Default Domain Controller Group Policy.
3 User Accounts
Exam Objectives in this Chapter:
■ Create and manage user accounts
■ Create and modify user accounts by using the Active Directory Users And Com-
puters Microsoft Management Console (MMC) snap-in
■ Create and modify user accounts by using automation
■ Import user accounts
■ Manage local, roaming, and mandatory user profiles
■ Troubleshoot user accounts
■ Diagnose and resolve account lockouts
■ Diagnose and resolve issues related to user account properties
■ Troubleshoot user authentication issues
Why This Chapter Matters
Before individuals in your enterprise can access the resources they require, you
must enable authentication of those individuals. Of course, the primary compo-
nent of that authentication is the user’s identity, often referred to as an account, in
Active Directory directory service. In this chapter, you will review and enhance
your knowledge related to the creation, maintenance, and troubleshooting of user
accounts and authentication.
Each enterprise, and each day, brings with it a unique set of challenges related to
user management. The properties you configure for a standard user account are
likely to be different from those you apply to the account of a help desk team
member, which are different still from those configured for the built-in Adminis-
trator account. Skills that are effective to create or modify a single user account
become clumsy and inefficient when you are working with masses of accounts,
such as when creating the accounts for newly hired employees.
To address a diverse sampling of account management scenarios effectively, we
will examine a variety of user management skills and tools, including the Active
Directory Users And Computers snap-in and powerful command-line utilities.
3-1
3-2 Chapter 3 User Accounts
Lessons in this Chapter:
■ Lesson 1: Creating and Managing User Objects . . . . . . . . . . . . . . . . . . . . . . . .3-3
■ Lesson 2: Creating Multiple User Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
■ Lesson 3: Managing User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32
■ Lesson 4: Securing and Troubleshooting Authentication . . . . . . . . . . . . . . . . 3-44
Before You Begin
This chapter presents the skills and concepts related to user accounts in Active Direc-
tory. This training kit presumes you have a minimum of 18 months’ experience and a
working knowledge of Active Directory, the MMC, and the Active Directory Users And
Computers snap-in. If you desire hands-on practice by using the examples and lab
exercises in the chapter, prepare the following:
■ A Microsoft Windows Server 2003 (Standard or Enterprise) computer installed as
Server01 and configured as a domain controller in the domain contoso.com
■ First-level organizational units (OUs): Administrative Groups, Employees, and
Security Groups
■ Global groups, in the Security Groups OU, called Sales Representatives and Sales
Managers
■ The Active Directory Users And Computers console or a customized console with
the Active Directory Users And Computers snap-in
Lesson 1 Creating and Managing User Objects 3-3
Lesson 1: Creating and Managing User Objects
Active Directory requires the verification of an individual’s identity—a process called
authentication—before that individual can access resources. The cornerstone of
authentication is the user’s identity, or account, with its user logon name, password,
and unique security identifier (SID). During logon, Active Directory authenticates the
user name and password entered by the user. The security subsystem can then build
the security access token that represents that user. The access token contains the user
account’s SID, as well as the SIDs of groups to which the user belongs. That token can
then be used to verify user rights assignments, including the right to log on locally to
the system, and to authorize access to resources secured by access control lists (ACLs).
A user’s identity is integrated into the Active Directory user object. The user object
includes not just the user’s name, password, and SID, but also contact information such
as telephone numbers and addresses; organizational information including job title,
direct reports and manager; group memberships; and configuration such as roaming
profile, terminal services, remote access, and remote control settings. This lesson will
review and enhance your understanding of user objects in Active Directory.
After this lesson, you will be able to
■ Create user objects in Active Directory using the Active Directory Users And Computers
snap-in
■ Configure user object properties
■ Understand important account options that are not self-explanatory based on their
descriptions
■ Modify properties of multiple users simultaneously
Estimated lesson time: 15 minutes
Creating User Objects with Active Directory Users And Computers
You can create a user object with the Active Directory Users And Computers snap-in.
Although you can create user objects in the root of the domain or any of the default
containers, it is best to create a user in an organizational unit, so that you can fully
leverage administrative delegation and Group Policy Objects (GPOs).
To create a user object, select the OU or container in which you want to create the
object, click the Action menu, then choose New and choose User. You must be a mem-
ber of the Enterprise Admins, Domain Admins, or Account Operators groups, or you
must have been delegated administrative permissions to create user objects in the con-
tainer. If you do not have sufficient permissions to create user objects, the New User
command will be unavailable to you.
3-4 Chapter 3 User Accounts
The New Object–User dialog box appears, as shown in Figure 3-1. The first page of the
New Object–User dialog box requests properties related to the user name. Table 3-1
describes the properties that appear on the first page of the dialog box.
f03nw01
Figure 3-1 The New Object–User dialog box
Table 3-1 User Properties on the First Page of the New Object–User Dialog Box
Property Description
First Name The user’s first name. Not required.
Initials The middle initials of the user’s name. Not required.
Last Name The user’s last name. Not required.
Full Name The user’s full name. If you enter values for the first or last name, the full
name property is populated automatically. However, you can easily mod-
ify the suggested value. The field is required.
The name entered here generates several user object properties, specifi-
cally CN (common name), DN (distinguished name), name, and dis-
playName. Because CN must be unique within a container, the name you
enter here must be unique relative to all other objects in the OU (or
other container) in which you create the user object.
User Logon Name The user principal name (UPN) consists of a logon name and a UPN suf-
fix which is, by default, the DNS name of the domain in which you cre-
ate the object. The property is required and the entire UPN, in the format
logon− name@UPN− suffix, must be unique within the Active Directory for-
est. A sample UPN would be someone@contoso.com.
The UPN can be used to log on to any Microsoft Windows system run-
ning Windows 2000, Windows XP, or Windows Server 2003.
You can modify the options available as a UPN suffix by opening the
properties of the Active Directory Domains And Trusts snap-in.
Lesson 1 Creating and Managing User Objects 3-5
Table 3-1 User Properties on the First Page of the New Object–User Dialog Box
Property Description
User Logon Name This logon name is used to log on from down-level clients, such as
(Pre–Windows 2000) Microsoft Windows 95, Windows 98, Windows Millennium Edition
(Windows Me), Windows NT 4, or Windows NT 3.51. You can also
use it to log on to systems running Windows 2000, Windows XP, or
Windows Server 2003. This field is required and must be unique within
the domain.
After you have entered the values on the first page of the New Object–User dialog box,
click Next. The second page of the dialog box, shown in Figure 3-2, allows you to
enter the user password and to set account flags.
f03nw02
Figure 3-2 Second page of the New Object–User dialog box
Security Alert The default account policies in a Windows Server 2003 domain, set in the
Default Domain Policy GPO, require complex passwords that have a minimum of seven charac-
ters. That means a password must contain three of four character types: uppercase, lower-
case, numeric, and nonalphanumeric.
When you use Windows Server 2003 in a test or lab environment, you should implement the
same best practices that are required in a production network. Therefore, in this book, you
are encouraged to use complex passwords for the user accounts you create; it will be left to
you to remember those passwords during exercises that require logging on as those users.
The properties available on the second page of the New Object–User dialog box are
summarized in Table 3-2.
3-6 Chapter 3 User Accounts
Table 3-2 User Properties on the Second Page of the New Object–User Dialog Box
Property Description
Password The password that is used to authenticate the user. For security reasons, you
should always assign a password. The password is masked as you type it.
Confirm Password Confirm the password by typing it a second time to make sure you typed it
correctly.
User Must Change Select this check box if you want the user to change the password you have
Password At Next entered the first time he or she logs on. You cannot select this option if you
Logon have selected Password Never Expires. Selecting this option will automati-
cally clear the mutually exclusive option User Cannot Change Password.
User Cannot Select this check box if you have more than one person using the same
Change Password domain user account (such as Guest) or to maintain control over user
account passwords. This option is commonly used to manage service
account passwords. You cannot select this option if you have selected User
Must Change Password At Next Logon.
Password Never Select this check box if you never want the password to expire. This option
Expires will automatically clear the User Must Change Password At Next Logon set-
ting because they are mutually exclusive. This option is commonly used to
manage service account passwords.
Account Is Select this check box to disable the user account, for example, when creat-
Disabled ing an object for a newly hired employee who does not yet need access to
the network.
Off the Record When creating objects for new users, choose a unique, complex password
for each user that does not follow a predictable pattern. Select the option to enforce that the
user must change password at next logon. If the user is not likely to log on to the network for
a period, disable the account. When the user requires access to the network for the first
time, ensure that the user’s account is enabled. The user will be prompted to create a new,
unique password that only the user knows.
Some of the account options listed in Table 3-2 have the potential to contradict policies
set in the domain policies. For example, the default domain policy implements a best
practice of disabling the storing of passwords using reversible encryption. However, in
the rare circumstances that require reversible encryption, the user account property,
Store Password Using Reversible Encryption, will take precedence for that specific user
object. Similarly, the domain policy may specify a maximum password age. If a user
object is configured as Password Never Expires, that configuration will override the
domain’s policies.
Lesson 1 Creating and Managing User Objects 3-7
Managing User Objects with Active Directory Users And Computers
When creating a user, you are prompted to configure the most common user proper-
ties, including logon names and password. However, user objects support numerous
additional properties that you can configure at any time using Active Directory Users
And Computers. These properties facilitate the administration of, and the searching for,
an object.
To configure the properties of a user object, select the object, click the Action menu,
and then choose Properties. The user’s Properties dialog box appears, as shown in
Figure 3-3. An alternative way to view an object’s properties would be to right-click
the object and select Properties from the shortcut menu.
f03nw03
Figure 3-3 The user’s Properties dialog box
The property pages in the Properties dialog box expose properties that fall into several
broad categories:
■ Account properties: the Account tab These properties include those that are
configured when you create a user object, including logon names, password, and
account flags.
■ Personal information: the General, Address, Telephones, and Organization
tabs The General tab exposes the name properties that are configured when you
create a user object.
■ User configuration management: the Profile tab Here you can configure the
user’s profile path, logon script, and home folder locations.
3-8 Chapter 3 User Accounts
■ Group membership: the Member Of tab You can add and remove user
groups and set the user’s primary group.
■ Terminal services: the Terminal Services Profile, Environment, Remote
Control, and Sessions tabs These four tabs allow you to configure and man-
age the users’ experience when they are connected to a Terminal Services session.
■ Remote access: the Dial-in tab Allows you to enable and configure remote
access permission for a user.
■ Applications: the COM+ tab Assigns Active Directory COM+ partition sets to
the user. This feature, new to Windows Server 2003, facilitates the management of
distributed applications.
Account Properties
Of particular note are the user’s account properties in the Account tab of the user’s
Properties dialog box. An example appears in Figure 3-4.
f03nw04
Figure 3-4 The user Account tab
Several of these properties were discussed in Table 3-2. Those properties were con-
figured when creating the user object and can be modified, as can a larger set of
account properties, using the Account tab. Several properties are not necessarily self-
explanatory, and deserve definition in Table 3-3.
Lesson 1 Creating and Managing User Objects 3-9
Table 3-3 User Account Properties
Property Description
Logon Hours Click Logon Hours to configure the hours during which a user is
allowed to log on to the network.
Log On To Click Log On To if you want to limit the workstations to which the
user can log on. This is called Computer Restrictions in other parts of
the user interface. You must have NetBIOS over TCP/IP enabled for
this feature to restrict users because it uses the computer name, rather
than the Media Access Control (MAC) address of its network card, to
restrict logon.
Store Password Using This option, which stores the password in Active Directory without
Reversible Encryption using Active Directory’s powerful, nonreversible encryption hashing
algorithm, exists to support applications that require knowledge of the
user password. If it is not absolutely required, do not enable this option
because it weakens password security significantly. Passwords stored
using reversible encryption are similar to those stored as plaintext.
Macintosh clients using the AppleTalk protocol require knowledge of
the user password. If a user logs on using a Macintosh client, you will
need to select the option to Store password using reversible encryption.
Smart Card Is Required Smart cards are portable, tamper-resistant hardware devices that store
For Interactive Logon unique identification information for a user. They are attached to, or
inserted into, a system and provide an additional, physical identifica-
tion component to the authentication process.
Account Is Trusted For This option enables a service account to impersonate a user to access
Delegation network resources on behalf of a user. This option is not typically
selected, certainly not for a user object representing a human being. It
is used more often for service accounts in three-tier (or multi-tier)
application infrastructures.
Account Expires Use the Account Expires controls to specify when an account expires.
Tip When configuring domain accounts for services, it is common to specify that the
account password never expires. In such situations be sure you use a long, complex pass-
word. If the service account is used by services on a limited number of systems, you can
increase the security of the account by configuring the Log On To property with the list of sys-
tems using the service account.
Managing Properties on Multiple Accounts Simultaneously
Windows Server 2003 allows you to modify the properties of multiple user accounts
simultaneously. You simply select several user objects by holding the CTRL key as you
click each user, or by using any other multiselection techniques. Be certain that you
3-10 Chapter 3 User Accounts
select only objects of one class, such as users. After you have multiselected, click the
Action menu, and then choose Properties.
When you have multiselected user objects, a subset of properties is available for
modification.
■ General tab Description, Office, Telephone Number, Fax, Web Page, E-mail
■ Account tab UPN Suffix, Logon Hours, Computer Restrictions (logon worksta-
tions), all Account Options, Account Expires
■ Address Street, PO Box, City, State/Province, ZIP/Postal Code, Country/Region
■ Profile Profile Path, Logon Script, and Home Folder
■ Organization Title, Department, Company, Manager
Tip Be sure to know which properties can be modified for multiple users simultaneously.
Exam scenarios and simulations that suggest a need to change many user objects’ properties
as quickly as possible are often testing your understanding of multiselect.
There are still many properties that must be set on a user-by-user basis. Also, certain admin-
istrative tasks, including the resetting of passwords and the renaming of accounts, can be
performed on only one user object at a time.
Saved Queries
The Active Directory Users And Computers MMC console and snap-in contains a new
node labeled Saved Queries. This node allows you to create views of Active Directory
objects that display the current results of a query you define. Some administrators refer
to these as “virtual folders” or “virtual OUs.”
The Windows Help And Support Center provides details about how to create saved
queries (search for “Saved Queries”), and learning how to create saved queries is a
valuable skill, both for the certification exam and for the real world. Examples of useful
saved queries that you might choose to create include:
■ All users, groups, or computers in the domain or in an OU and its child OUs
■ Disabled user or computer accounts
■ Locked out accounts
■ Users with a particular job title or Company property
■ Users who have not changed their passwords or logged on for a particular period
of time
■ User accounts with the Password Never Expires flag set
Lesson 1 Creating and Managing User Objects 3-11
Within the result set displayed by a saved query, you can perform the same adminis-
trative tasks that you would perform on objects in an OU. For example, you might use
a saved query to identify all users in the domain who have not changed their password
in 90 days and disable their accounts. Or you might use a saved query that displays dis-
abled accounts to identify those accounts that should be deleted. By using saved que-
ries and by changing multiple user accounts at once, you can administer your domain
users, groups, and computers with minimal administrative effort.
Moving a User
If a user is transferred within an organization, it is possible that you might need to
move his or her user object to reflect a change in the administration or configuration of
the object. To move an object in Active Directory Users And Computers, select the
object and, from the Action menu, choose Move. Alternatively, you can right-click the
object and select Move from the shortcut menu.
Tip A new feature of Windows Server 2003 is that drag-and-drop operations are supported
in several MMC snap-ins, including Active Directory Users And Computers. You can move
objects between OUs by dragging and dropping them.
Practice: Creating and Managing User Objects
In this practice, you will create three user objects. You will then modify properties of
those objects.
Exercise 1: Create User Objects
1. Log on to Server01 as an administrator.
2. Open Active Directory Users And Computers.
3. Create an OU called “Employees” and then select the Employees OU.
4. Create a user account with the following information, ensuring that you use a
strong password:
Text Box Name Type
First Name Dan
Last Name Holme
User Logon Name dan.holme
User Logon Name (Pre-Windows 2000) dholme
3-12 Chapter 3 User Accounts
5. Create a second user object with the following properties:
Property Type
First Name Hank
Last Name Carbeck
User Logon Name hank.carbeck
User Logon Name (Pre-Windows 2000) hcarbeck
6. Create a user object for yourself, following the same conventions for user logon
names as you did for the first two objects.
Exercise 2: Modify User Object Properties
1. Open the Properties dialog box for your user object.
2. Configure the appropriate properties for your user object on the General, Address,
Profile, Telephones, and Organization tabs.
3. Examine the many properties associated with your user object, but do not change
any other properties yet.
4. Click OK when finished.
Exercise 3: Modify Multiple User Objects’ Properties
1. Open Active Directory Users And Computers and navigate to the Contoso.com
Employees OU. Select the Employees OU in the tree pane, which will list the user
objects you created in Exercise 1 in the details pane.
2. Select Dan Holme’s user object.
3. Hold the CTRL key and select Hank Carbeck’s user object.
4. Click the Action menu, and then click Properties.
5. Notice the difference between the Properties dialog box here, and the more
extensive properties dialog box you explored in Exercise 2. Examine the prop-
erties that are available when multiple objects are selected, but do not modify
any properties yet.
6. Configure the following properties for the two user objects:
Property Page Property Type
General Description Taught me everything I needed to know
about Windows Server 2003
General Telephone Number (425) 555-0175
General Web Page http://www.microsoft.com/learning
/books/
Lesson 1 Creating and Managing User Objects 3-13
Property Page Property Type
Address Street One Microsoft Way
Address City Redmond
Address State/Province Washington
Address ZIP/Postal Code 98052
Organization Title Author
Organization Company Microsoft Press
7. Click OK when you finish configuring the properties.
8. Open the properties of the object Dan Holme.
9. Confirm that the properties you configured in step 6 did, in fact, apply to the
object. Click OK when you are finished.
10. Select Dan Holme’s user object.
11. Hold the CTRL key and select Hank Carbeck’s user object. Click the Action menu.
12. Notice that the Reset Password command is not available when you have selected
more than one user object. What other commands are not available when multi-
selecting? Experiment by selecting one user, opening the Action menu, then
selecting two users and opening the Action menu.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. You are using Active Directory Users And Computers to configure user objects in
your domain, and you are able to change the address and telephone number
properties of the user object representing yourself. However, the New User com-
mand is unavailable to you. What is the most likely explanation?
2. You are creating a number of user objects for a team of your organization’s tem-
porary workers. They will work daily from 9:00 A.M. to 5:00 P.M. on a contract that
is scheduled to begin in one month and end two months later. They will not work
outside of that schedule. Which of the following properties should you configure
initially to ensure maximum security for the objects? (Choose all that apply.)
a. Password
b. Logon Hours
c. Account expires
3-14 Chapter 3 User Accounts
d. Store password using reversible encryption
e. Account is trusted for delegation
f. User must change password at next logon
g. Account is disabled
h. Password never expires
3. Which of the following properties and administrative tasks can be configured or
performed simultaneously on more than one user object? (Choose all that apply.)
a. Last Name
b. User Logon Name
c. Disable Account
d. Enable Account
e. Reset Password
f. Password Never Expires
g. User Must Change Password At Next Logon
h. Logon Hours
i. Computer Restrictions (Logon Workstations)
j. Title
k. Direct Reports
Lesson Summary
■ You must be a member of the Enterprise Admins, Domain Admins, or Account
Operators groups, or you must have been delegated administrative permissions to
create user objects.
■ User objects include the properties typically associated with a user “identity” or
“account,” including logon names and password, and the unique SID for the user.
■ User objects also include properties related to the individuals they represent,
including personal information, group membership, and administrative settings.
Windows Server 2003 allows you to change some of these properties for multiple
users simultaneously.
Lesson 2 Creating Multiple User Objects 3-15
Lesson 2: Creating Multiple User Objects
Occasionally, situations emerge that require you to create multiple user objects quickly,
such as a new class of incoming students at a school or a group of new hires at an
organization. In these situations, you must know how to facilitate or automate user
object creation effectively so that you do not approach the task on an account-by-
account basis. In Lesson 1, you learned how to create and manage user objects with
Active Directory Users and Computers. This lesson will extend those concepts, skills,
and tools to include user object creation through template objects, imported objects,
and command-line scripting of objects.
After this lesson, you will be able to
■ Create and utilize user object templates
■ Import user objects from comma-delimited files
■ Leverage new command-line tools to create and manage user objects
Estimated lesson time: 15 minutes
Creating and Utilizing User Object Templates
It is common for objects to share similar properties. For example, all sales representa-
tives may belong to the same security groups, are allowed to log on to the network
during the same hours, and have home folders and roaming profiles on the same
server. In such cases, it is helpful when creating a user object for that object to be pre-
populated with common properties. This can be accomplished by creating a generic
user object—often called a template—and then copying that object to create new users.
To generate a user template, create a user object and populate its properties. Put the
user into appropriate groups.
Security Alert Be certain to disable the user object, because it is just a template, to
ensure that the account cannot be used for access to network resources.
To create a user based on the template, select the template and choose Copy from the
Action menu or the shortcut menu. You will be prompted for properties similar to
those when you created a new user: first and last name, initials, logon names, pass-
word, and account options. When the object is created, you will find that properties are
copied from the template based on the following property-page-based description:
■ General No properties are copied.
■ Address All properties except Street address are copied.
3-16 Chapter 3 User Accounts
■ Account All properties are copied except for logon names, which you are
prompted to enter when copying the template.
■ Profile All properties are copied, and the profile and home-folder paths are
modified to reflect the new user’s logon name.
■ Telephones No properties are copied.
■ Organization All properties are copied, except for Title.
■ Member Of All properties are copied.
■ Dial-in, Environment, Sessions, Remote Control, Terminal Services Profile,
COM+ No properties are copied.
Tip A user that has been generated by copying a template has, by default, the same group
membership as the template. Permissions and rights that are assigned to those groups
therefore apply to the new user. However, permissions or rights assigned directly to the tem-
plate user object are not copied or adjusted, so the new user will not have those permissions
or rights.
Importing User Objects Using Csvde
Occasionally, situations arise that require you to create multiple objects quickly, such
as a new class of incoming students at a school or a group of new hires at an organi-
zation. In these situations it can be helpful to import the accounts from existing data
sources so that you do not approach the task on an account-by-account basis.
Csvde is a command-line utility that allows you to import or export objects in Active
Directory from (or to) a comma-delimited text file (also known as a comma-separated
value or CSV file), which is, of course, a common format easily read and saved using
Notepad and Microsoft Office Excel.
The Csvde command is a powerful way to generate objects quickly. The command’s
basic syntax is
csvde [-i] [-f FileName] [-k]
-i : Specifies import mode. If not specified, the default mode is export.
-f FileName : Identifies the import file name.
-k : Ignores errors including “object already exists,” “constraint violation,” and “attribute
or value already exists” during the import operation and continues processing.
The import file itself is a comma-delimited text file (*.csv or *.txt), in which the first line
is a list of Lightweight Directory Access Protocol (LDAP) attribute names for the
Lesson 2 Creating Multiple User Objects 3-17
attributes imported, followed by one line (ending with a carriage return) for each
object. Each object must contain exactly the attributes listed on the first line in the same
order specified by the first line. If an attribute includes spaces or commas, it must be
surrounded by quotation marks. A sample file follows:
DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName
"CN=Scott Bishop,OU=Employees, DC=contoso,DC=com",
user,sbishop,Bishop,Scott,scott.bishop@contoso.com
This file, when imported, would create a user object in the Employees OU called Scott
Bishop. The logon, first, and last names are configured by the file. The object will be
disabled initially. After you have reset the password, you can enable the object.
! Exam Tip Csvde does not support importing or exporting user passwords.
If mandatory attributes are missing, the object will fail to be created. For example, a
user account cannot be created without the DN and object class. It is a best practice
when creating a user account to include the Pre-Windows 2000 Logon Name in the
user interface (sAMAccountName), the first name (givenName), last name (sn), display
name (displayName), and user principal name (userPrincipalName).
Notice that the attribute objectClass is supported in the file. That means you can use
Csvde to create other types of objects. For example, the objectClass “group” would cre-
ate a group.
See Also Chapter 4, “Group Accounts,” includes an example of Csvde used to import
groups. For more information about the powerful Csvde command, including details regarding
its parameters and its usage to export directory objects, open the Windows Server 2003 Help
and Support Center. The Ldifde command, introduced in Chapter 4, Lesson 3, is also covered
in detail by the Help and Support Center, and it allows you to import and export accounts
using LDAP formats. This command and its file structure is nowhere near as intuitive for
administrators as the comma-delimited file supported by Csvde; however, Ldifde does sup-
port importing and modifying, but not exporting, user passwords.
Utilizing Active Directory Command-Line Tools
Windows Server 2003 supports a number of powerful command-line tools to facilitate
the management of Active Directory. They are often referred to as the DS commands
because they affect the directory service and because each command begins with “ds.”
3-18 Chapter 3 User Accounts
See Also This lesson will highlight the most commonly used directory service commands
and parameters and the use of these commands for user objects. The commands will be
revisited in Chapter 4 in relation to group objects. For more information on these utilities,
including the full list of parameters they accept, open the Windows Help And Support Center
and search for the phrase, “directory service command-line tools”—be sure to surround the
phrase in quotation marks. After clicking Search, you will see the Directory Service Command-
Line Tools: Command-Line Reference on the list of Help Topics, under Search Results.
The following is a list, and brief description, of each tool:
■ Dsadd Adds objects to the directory.
■ Dsget Displays (“gets”) properties of objects in the directory.
■ Dsmod Modifies select attributes of an existing object in the directory.
■ Dsmove Moves an object from its current container to a new location. Can also
be used to rename an object without moving it.
■ Dsrm Removes an object, the complete subtree under an object, or both.
■ Dsquery Queries Active Directory for objects that match a specified search cri-
terion. This command is often used to create a list of objects, which are then piped
to the other command-line tools for management or modification.
These six tools are described in some detail in later subsections. Each tool uses one or
more command-line options or switches. Before you examine each tool, option, and
switch, look at the following command:
dsquery user “OU=Employees,DC=Contoso,DC=Com” -stalepwd 60
This command queries the Employees OU and returns a list of user objects with pass-
words that have not been changed (stalepwd stands for “stale password”) for 60 days.
You can imagine that this would be useful as a way to audit compliance with corporate
password guidelines. The command illustrates important concepts that will resurface as
you explore each directory service command:
■ DS commands specify the class, or target object type, of an object that is being cre-
ated or managed. The example above creates an object with the target object type
of user. The target object type can be one of a predefined set of values that corre-
late with an object class in Active Directory. Common examples are: computer,
user, OU, group, and server (meaning domain controller).
■ The Distinguished Name (DN) of the object against which the command is running
is called the target object identity. The DN of an object is an attribute of each object
that represents the object’s name and location within an Active Directory forest. For
example, in Lesson 1, Exercise 1, you created a user object with the distinguished
Lesson 2 Creating Multiple User Objects 3-19
name: CN=Dan Holme, OU=Employees, DC=Contoso, DC=com. The example above
queries the OU with the distinguished name: OU=Employees,DC=Contoso,DC=com.
Note When using DNs in a command parameter, enclose the name in quotation marks
when it includes spaces. If a subcomponent of the distinguished name includes a backslash
or comma, see the online help topic listed earlier.
■ The stalepwd switch in the example is prefixed by a dash (“-”). Switches and
parameters are case-insensitive, meaning that capitalization does not matter and
you can prefix them with either a dash (“-”) or a slash (“/”).
■ The parameters and switches that you use in the command will vary depending on
the type of object you are working with. For example, a user object has a stalepwd
property. A group object has a members property.
By default, the DS commands connect to a domain controller that covers the Active
Directory site of your computer and run under the credentials of the account with
which you are logged on. Each DS command accepts parameters to modify these
default behaviors. These parameters are listed below in the tables that describe each
command.
Dsquery
The Dsquery command queries Active Directory for objects that match a specific crite-
ria set. The command’s basic syntax is:
dsquery object_type [{StartNode | forestroot | domainroot}] [-o {dn | rdn | samid}]
[-scope {subtree | onelevel | base}] [-name Name] [-desc Description] [-upn UPN]
[-samid SAMName] [-inactive NumberOfWeeks] [-stalepwd NumberOfDays] [-disabled]
[{-s Server | -d Domain}] [-u UserName] [-p {Password | *}]
As you can see, there are numerous parameters and options for each parameter. In fact,
there are even more than the common items listed here. Do not let the list overwhelm
you. First, many of the switches are shared with other directory service commands—so
as you learn about a switch in any one command, you will be able to apply that knowl-
edge to other commands. Second, you will not need to know the switches in detail to
pass the 70-290 certification exam, and you can always use a reference when applying
the commands to real-world tasks.
! Exam Tip To meet the objectives of the 70-290 certification exam, you must understand
the role and use of each command and how the commands interrelate, and you must be able
to achieve specific tasks with the DS commands: pay careful attention to the examples pro-
vided in this lesson.
3-20 Chapter 3 User Accounts
The basic parameters of Dsquery are summarized in Table 3-4.
Table 3-4 Parameters for the Dsquery Command
Parameter Description
Query scope
object_type Required. The object type represents the object class(es) that will
be searched. The object type can include computer, subnet, con-
tact, group, OU, site, server, user, or the wildcard “*” to represent
any object class. This lesson will focus on the command’s use in
querying for the user object type.
{StartNode | forestroot | Optional. Specifies the node from which the search begins. You
domainroot} can specify the forest root (forestroot), domain root (domain-
root), or a node’s DN (StartNode). If forestroot is specified, the
search is performed using the global catalog. The default value is
domainroot.
-scope {subtree | onelevel Optional. Specifies the scope of the search. A value of subtree indi-
| base} cates that the scope is a subtree rooted at StartNode. A value of
onelevel indicates the immediate children of StartNode only. A
value of base indicates the single object represented by StartNode.
If forestroot is specified as StartNode, subtree is the only valid
scope. By default, the subtree search scope is used.
How to display the result set
-o {dn | rdn | samid} Specifies the format in which the list of entries found by the search
will be outputted or displayed. A dn value displays the distin-
guished name of each entry. An rdn value displays the relative dis-
tinguished name of each entry. A samid value displays the Security
Accounts Manager (SAM) account name of each entry. By default,
the dn format is used.
Query criteria
-name Name Searches for users whose name attributes (value of CN attribute)
matches Name. You can use wildcards. For example, “jon*” or
“*ath” or “j*th” would each produce a result set that includes users
named Jonathan.
-desc Description Searches for users whose description attribute matches Description.
You can use wildcards.
-upn UPN Searches for users whose UPN attribute matches UPN.
-samid SAMName Searches for users whose SAM account name matches SAMName.
You can use wildcards.
-inactive NumberOfWeeks Searches for all users that have been inactive (stale) for the speci-
fied number of weeks.
-stalepwd NumberOfDays Searches for all users who have not changed their passwords for
the specified number of days.
Lesson 2 Creating Multiple User Objects 3-21
Table 3-4 Parameters for the Dsquery Command
Parameter Description
-disabled Searches for all users whose accounts are disabled.
Domain controller and credentials used for the command
{-s Server | -d Domain} Connects to a specified remote server or domain.
-u UserName Specifies the user name with which the user logs on to a remote
server. By default, -u uses the user name with which the user
logged on. You can use any of the following formats to specify a
user name:
■ user name (for example, Linda)
■ domainuser name (for example, widgetsLinda)
■ UPN (for example, Linda@widgets.microsoft.com)
-p {Password | *} Specifies to use either a password or a * to log on to a remote
server. If you type *, you are prompted for a password.
! Exam Tip Inactivity is specified in weeks, but password changes are specified in days.
Examine the command used as an example at the beginning of the chapter:
dsquery user “OU=Employees,DC=Contoso,DC=Com” -stalepwd 60
You can now identify the following components of the command:
■ Query Scope The query scope is made up of two components. The first is the
target object type, user. The second is the target object identity, StartNode, which
is the DN of the Employees OU.
■ Query Criteria Password has been inactive for 60 days or more: -stalepwd 60.
■ How To Display The Result Set DNs. Because no -o switch was used, the com-
mand will output using the default format: a list of DNs of objects meeting the cri-
teria within the scope.
Piping Dsquery Results To Other Directory Service Commands Dsquery is often used
to generate a list of objects against which other DS commands will operate. This is
accomplished by piping the output of Dsquery to a second command. For example:
dsquery user “OU=Employees,DC=Contoso,DC=Com” -stalepwd 60| dsmod user -mustchpwd yes
This command line queries the Employees OU for users who have not changed their
password for 60 days and pipes the resulting list of objects to Dsmod, which configures
each object with the property “User Must Change Password At Next Logon.” The other
DS commands accept DNs as their input.
3-22 Chapter 3 User Accounts
To understand how the command line works, let’s begin by looking at an example of
Dsmod (which we will discuss in more detail later in the chapter):
dsmod user “CN=Dan Holme,OU=Employees,DC=Contoso,DC=Com” -mustchpwd yes
This command modifies the account of the user Dan Holme and sets the flag requiring
the user to change passwords at the next logon. Again you can see common elements:
■ The target object type: user
■ The target object identity: Dan Holme. The DN of objects including users, groups,
and computers begins with the common name (CN) of the object followed by its
parent OUs and domain.
■ The switch –mustchpwd, which indicates the “Must Change Password” property,
and the value yes, which sets the flag.
You can imagine it would get tiring to enter this command multiple times for each user
who should be required to change passwords. Luckily, you can enter the target object
parameter not only as a DN but by piping a list of objects to the command. Piping
refers to a process through which the output of one command is directed to another
command rather than to the command console. It is called “piping” because you use
the pipe symbol (“|”) to redirect a command’s output.
Look at the following command:
dsquery user “OU=Employees, DC=Contoso,DC=Com”
-stalepwd 60 | dsmod user -mustchpwd yes
Notice the familiar Dsquery command that produces a list of users who have not
changed passwords for 60 days or more. It is followed by the pipe symbol, indicating
that its output (by default, a list of DNs) is redirected. Following the pipe is the Dsmod
command without a target object specified. That syntax tells the Dsmod command to
receive the input from the Dsquery command. It is no coincidence that the target
object identity parameter of a directory service command takes the DN of an object
and that the Dsquery command produces, by default, a list of DNs. The Dsmod com-
mand will be repeated for each item in the list produced by Dsquery, so together
these two commands—Dsquery piped into Dsmod—will set the change password
flag for each user account in the Employees OU that has not changed passwords for
the last 60 days or more.
We will return to examine Dsmod in more detail. But to wrap up our discussion of
Dsquery and piping its results to other commands, let’s reiterate that the Dsquery
command is often used to produce a list of objects meeting a set of criteria and to
pipe that list of objects into one of the other directory service commands.
Lesson 2 Creating Multiple User Objects 3-23
Dsadd
The Dsadd command enables you to create objects in Active Directory. When creat-
ing a user, use the Dsadd User command. Dsadd parameters allow you to configure
specific properties of an object. The parameters are self-explanatory; however the
Windows Server 2003 Help And Support Center provides thorough descriptions of
the Dsadd command’s parameters if you desire more explanation.
dsadd user UserDN…
The UserDN… parameter is one or more distinguished names for the new user
object(s). If a DN includes a space, surround the entire DN with quotation marks. You
can enter the UserDN… parameter using one of the following ways:
■ By piping a list of DNs from another command, such as Dsquery.
■ By typing each DN on the command line, separated by spaces.
■ By leaving the DN parameter empty, at which point you can type the DNs, one at
a time, at the keyboard console of the command prompt. Press ENTER after each
DN. Press CTLS+Z and ENTER after the last DN.
The common parameters for the Dsadd User command, shown below, are self-explan-
atory. However, the Windows Help And Support Center provides thorough descrip-
tions of these and additional Dsadd parameters if you desire further explanation.
Simply search using the name of the command, Dsadd, as your search query.
■ -samid SAMName
■ -upn UPN
■ -fn FirstName
■ -mi Initial
■ -ln LastName
■ -display DisplayName
■ -empid EmployeeID
■ -pwd {Password | *} where * will prompt you for a password
■ -desc Description
■ -memberof GroupDN;...
■ -office Office
■ -tel PhoneNumber
■ -email Email
■ -hometel HomePhoneNumber
3-24 Chapter 3 User Accounts
■ -pager PagerNumber
■ -mobile CellPhoneNumber
■ -fax FaxNumber
■ -iptel IPPhoneNumber
■ -webpg WebPage
■ -title Title
■ -dept Department
■ -company Company
■ -mgr ManagerDN
■ -hmdir HomeDirectory
■ -hmdrv DriveLetter:
■ -profile ProfilePath
■ -loscr ScriptPath
■ -mustchpwd {yes | no}
■ -canchpwd {yes | no}
■ -reversiblepwd {yes | no}
■ -pwdneverexpires {yes | no}
■ -acctexpires NumberOfDays
■ -disabled {yes | no}
As with Dsquery, you can add -s, -u, and -p parameters to specify the domain control-
ler against which Dsadd will run, and the user name and password—the credentials—
that Dsadd will use to execute the command.
■ {-s Server | -d Domain}
■ -u UserName
■ -p {Password | *}
You can use the special token $username$ (case-insensitive) to replace the SAM
account name in the value of the -email, -hmdir, -profile, and -webpg parameters. For
example, if a SAM account name is “Denise,” you can write the -hmdir parameter in
either of the following formats:
■ -hmdir server05usersDenise
■ -hmdir server05users$username$
Lesson 2 Creating Multiple User Objects 3-25
Dsmod
The Dsmod command modifies the properties of one or more existing objects.
dsmod user UserDN ... parameters
The command handles the UserDN… parameter exactly as the Dsadd command and
takes the same parameters. Of course now, instead of adding an object with properties,
you are modifying an existing object. Note that the exceptions are that you cannot
modify the SAMName (-samid parameter) or group membership (-memberof parame-
ter) of a user object using the Dsmod User command.
! Exam Tip You can use the Dsmod Group command, discussed in Chapter 4, “Group
Accounts,” to change group membership from a command-line utility.
The Dsmod command also takes the -c parameter. This parameter puts Dsmod into
continuous operation mode, in which it reports errors but continues to modify the
objects. Without the -c parameter, Dsmod will stop operation at the first error.
Using Dsquery to pipe objects to Dsmod, you can easily modify selected properties of
many user objects with a single command line. For example:
dsquery user "OU=Employees,DC=Contoso,DC=Com" | dsmod user -PROFILE
"Server04Profiles$username$”
This command modifies all user accounts in the Employees OU to include a user pro-
file attribute pointing to an individual user profile in the Profiles share of Server04.
Note the use of the $username$ token, discussed above in the section related to
Dsadd: DS commands use $username$, not the %username% token that you would
use in the graphical user interface (GUI) administration tools. The following example
maps the employees’ U drives to their home folder on Server05:
dsquery user “OU=Employees,DC=Contoso,DC=Com” | dsmod user –HMDIR
“Server04Profiles$username$” –HMDRV U:
Dsget
The Dsget command gets, and outputs, selected properties of one or more existing
objects.
dsget user UserDN ... parameters
The command handles the UserDN… parameter exactly as the Dsadd command does,
and takes the same parameters except that Dsget takes only the parameter and not an
associated value. For example, Dsget takes the -samid parameter, not the -samid
SAMName parameter and value. The reason for this is clear: You are displaying, not
3-26 Chapter 3 User Accounts
adding or modifying, a property. In addition, Dsget does not support the -password
parameter because it cannot display passwords. Dsget adds the -dn and -sid param-
eters, which display the user object’s distinguished name and SID, respectively.
Like Dsquery, Dsget with the -dn switch returns DNs. Therefore, it is also used regu-
larly to pipe DNs to other directory service commands.
! Exam Tip Keep track of the difference between Dsquery and Dsget. Dsquery finds and
returns a result set of objects based on property-based search criteria. Dsget returns proper-
ties for one or more specified objects.
Dsmove
The Dsmove command allows you to move or rename an object within a domain. You
cannot use it to move objects between domains. Its basic syntax is:
dsmove ObjectDN [-newname NewName] [-newparent ParentDN]
Dsmove also supports the -s, -u, and -p parameters described in the section regarding
Dsquery.
You specify the object that you want to move by using its DN in the parameter
ObjectDN. To rename the object, specify its new common name in the NewName
parameter. To move an object to a new location, specify the distinguished name of a
container by means of the ParentDN parameter.
Dsrm
You use Dsrm to remove an object, its subtree, or both. The basic syntax is:
dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt] [-c]
It supports the -s, -u, and -p parameters described in the section about Dsquery.
You specify the object by using its distinguished name in the ObjectDN parameter. The
-subtree switch directs Dsrm to remove the objects contents if the object is a container
object. The -exclude switch excludes the object itself, and you can use it only in con-
junction with -subtree. Specifying -subtree and -exclude would, for example, delete an
OU’s contents and its subtree, but leave the specified OU intact. By default, without the
-subtree or -exclude switches, only the specified object is deleted.
You will be prompted to confirm the deletion of each object unless you specify the
-noprompt parameter. The -c switch puts Dsrm into continuous operation mode, in
which errors are reported but the command keeps processing additional objects.
Without the -c switch, processing halts on the first error.
Lesson 2 Creating Multiple User Objects 3-27
Utilizing VBScript to Automate User Administration
The 70-290 certification examination objectives expect you to have a rudimentary
understanding of using scripts written in the VBScript scripting language. You will
need to be able to recognize, but not necessarily create, simple VBScript operations.
However, a more detailed understanding of VBScript is a very useful competency for
real-world administration of Active Directory. Because the use of VBScript cuts across
multiple topics, including the administration of both users and groups, we have
included a supplement entitled “Using VBScript to Automate User and Group Admin-
istration” on the CD-ROM accompanying this book.
On the CD Be sure to read the supplement “Using VBScript to Automate User and Group
Administration” on the CD-ROM accompanying this book.
Practice: Creating Multiple User Objects
In this practice, you will create and manage user objects utilizing templates and com-
mand-line tools.
Exercise 1: Create a User Template
1. Log on to Server01 as an administrator.
2. Open Active Directory Users And Computers.
3. Select the Employees OU in the tree pane.
4. Create a user account with the following information:
Text Box Name Type
First Name Template
Last Name Sales Representative
User Logon Name: Template.sales.rep
User Logon Name (Pre–Windows 2000): Templatesalesrep
5. Click Next.
6. Select Account Is Disabled. Click Next.
7. The summary page appears. Click Finish.
3-28 Chapter 3 User Accounts
Note As mentioned in the chapter’s “Before You Begin” section, you should create a group
in the Security Groups OU called Sales Representatives. If you have not created such a group,
do so now.
8. Open the properties of the Template Sales Representative object.
9. Configure the following properties for the template account:
Tab Property Value
Member Of Member Of Sales Representatives
Account Logon Hours Monday–Friday, 9:00 A.M.–5:00 P.M.
Account Expires Three months from the current date
Organization Company Contoso
Profile Profile path Server01Profiles%Username%
10. Click OK when you have finished configuring account properties.
Exercise 2: Create Users by Copying a User Template
1. Select the Employees OU in the tree pane.
2. Select the Template Sales Representative object.
3. Click the Action menu, and then click Copy.
4. Create a new user account with the following information:
Text Box Name Type
First Name Scott
Last Name Bishop
User Logon Name: Scott.Bishop
User Logon Name (Pre-Windows 2000): Sbishop
Account Is Disabled Clear the check box
Password/Confirm Password Enter and confirm a complex password as
described earlier in this chapter.
5. Click Next, and then click Finish.
6. Open the properties of the object Scott Bishop.
7. Confirm that the information configured for the template on the Member Of,
Account, and Organization Property pages were applied to the new object.
Lesson 2 Creating Multiple User Objects 3-29
8. Because you will use this account for other exercises in the chapter, reset two
properties. In the Account tab, set the Account Expires option to Never, and set
the Logon Hours so that logon is permitted at any time.
Exercise 3: Import User Objects Using CSVDE
1. Open Notepad.
2. Type the following information carefully, creating 3 lines of text:
DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName
"CN=Danielle Tiedt,OU=Employees,
DC=contoso,DC=com",user,dtiedt,Tiedt, Danielle,danielle.tiedt@contoso.com
"CN=Lorrin Smith-Bates,OU=Employees, DC=contoso,DC=com",user,lsmithbates,
Smith-Bates,Lorrin,lorrin.smithbates@contoso.com
3. Save the file as “C:USERS.CSV” being certain to surround the filename with quo-
tation marks. Without quotation marks, the file will be saved as
C:USERS.CSV.TXT.
4. Open the command prompt and type the following command:
csvde –i -f c:users.csv
5. If the command output confirms that the command completed successfully, open
Active Directory Users And Computers to confirm that the objects were created in
the Employees OU. If the command output suggests that there were errors, open
the USERS.CSV file in Notepad and correct the errors.
6. You will log on as these users later in this chapter. Because the users were
imported without passwords, you must reset their passwords. After you have con-
figured the users’ passwords, enable the accounts. Both the Reset Password and
Enable Account commands can be found on either the Action or Objects shortcut
menu.
7. If you have access to an application that can open comma-delimited text files such
as Microsoft Excel, open C:USERS.CSV. You will be able to interpret its structure
more easily in a columnar display than in Notepad’s one-line, comma-delimited
text file display.
Exercise 4: Use Active Directory Command-Line Tools
1. Open the command prompt and type the following command:
dsquery user “OU=Employees, DC=Contoso,DC=Com” -stalepwd 7
2. The command, which finds user objects that have not changed their password in
seven days, should list, at a minimum, the objects you created in exercises 1 and
2. If not, create one or two new user objects and then perform step 1.
3-30 Chapter 3 User Accounts
3. Type the following command and press ENTER:
dsquery user “OU=Employees, DC=Contoso,DC=Com” -stalepwd 7 | dsmod user -mustchpwd
yes
4. The command used the results of Dsquery as the input for the Dsmod command.
The Dsmod command configured the option “User must change password at next
logon” for each object. Confirm your success by examining the Account tab of the
affected objects.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What option will be most useful to generate 100 new user objects, each of which
has identical profile path, home folder path, Title, Web Page, Company, Depart-
ment, and Manager settings?
2. Which tool will allow you to identify accounts that have not been used for two
months?
a. Dsadd
b. Dsget
c. Dsmod
d. Dsrm
e. Dsquery
3. What variable can be used with the Dsmod and Dsadd commands to create user-
specific home folders and profile folders?
a. %Username%
b. $Username$
c. CN=Username
d. <Username>
Lesson 2 Creating Multiple User Objects 3-31
4. Which tools allow you to output the telephone numbers for all users in an OU?
(Choose all that apply.)
a. Dsadd
b. Dsget
c. Dsmod
d. Dsrm
e. Dsquery
Lesson Summary
■ A user object template is an object that is copied to produce new users. If the tem-
plate is not a “real” user, it should be disabled. Only a subset of user properties are
copied from templates.
■ The Csvde command enables you to import directory objects from a comma-
delimited text file.
■ Windows Server 2003 supports powerful new command-line tools to create, man-
age, and delete directory objects: Dsquery, Dsget, Dsadd, Dsmove, Dsmod, and
Dsrm. Frequently, Dsquery will produce a result set of objects that are piped as
input to other commands.
3-32 Chapter 3 User Accounts
Lesson 3: Managing User Profiles
You probably wouldn’t read this book if you weren’t supporting users, and you know
that there are elements of the user’s system that cause the user pain when they are not
present. For example, if a user logs on and does not have access to his or her Microsoft
Internet Explorer Favorites, or must reconfigure his or her custom dictionary, or does
not see familiar shortcuts or documents on the desktop, the user’s productivity takes an
instant plunge, and the help desk gets a call. Each of these examples relates to com-
ponents of the user profile. Profiles can be configured to enhance their availability,
security, and reliability. In this lesson, you will learn how to manage local, roaming,
group, and mandatory profiles.
■ Understand the application of local and roaming user profiles
■ Configure a roaming user profile
■ Create a preconfigured roaming user or group profile
■ Configure a mandatory profile
User Profiles
A user profile is a collection of folders and data files that contain the elements of your
desktop environment that make it uniquely yours. Settings include:
■ Shortcuts in your Start menu, on your desktop, and in your Quick Launch bar
■ Documents on your desktop and, unless redirection is configured, in your My
Documents folder
Tip The properties of the My Documents folder, and the Folder Redirection policies in Group
Policy, enable you to redirect My Documents so that it targets a network folder. This best prac-
tice allows you to store the contents of users’ My Documents folders on a server, where they
can be backed up, scanned for viruses, and made available to users throughout the organiza-
tion, should they log on to a system other than their normal desktop. You can also make My
Documents available offline, so that users have access to their files even when users are not
connected to the network.
■ Internet Explorer favorites and cookies
■ Certificates (if implemented)
■ Application-specific files such as the Microsoft Office custom user dictionary, user
templates, and autocomplete list
■ My Network Places
■ Desktop display settings such as appearance, wallpaper, and screensaver
Lesson 3 Managing User Profiles 3-33
These important elements are specific to each user. It is desirable that they be consis-
tent between logons, available should the user need to log on to another system, and
resilient in the event that the user’s system fails and must be reinstalled.
Local User Profiles
By default, user profiles are stored locally on the system in the %Systemdrive% Doc-
uments and Settings%Username% folder. They operate in the following manner:
■ When a user logs on to a system for the first time, the system creates a profile for
the user by copying the Default User profile. The new profile folder is named
based on the logon name specified in the user’s initial logon.
■ All changes made to the user’s desktop and software environment are stored in
the local user profile. Each user has his or her individual profiles so settings are
user-specific.
■ The user environment is extended by the All Users profile, which can include
shortcuts in the desktop or start menu, network places, and even application data.
Elements of the All Users profile are combined with the user’s profile to create the
user environment. By default, only members of the Administrators group can
modify the All Users profile.
■ The profile is truly local. If a user logs on to another system, the documents and
settings that are part of their profile do not follow the user. Instead, the new sys-
tem behaves as outlined here, generating a new local profile for the user if it is the
user’s first time logging on to that system.
Roaming User Profiles
If users work at more than one computer, you can configure roaming user profiles
(RUPs) to ensure that their documents and settings are consistent no matter where they
log on. RUPs store the profile on a server, which also means that the profiles can be
backed up, scanned for viruses, and managed centrally. Even in environments where
users do not roam, RUPs provide resiliency for the important information stored in the
profile. If a user’s system fails and must be reinstalled, an RUP will ensure that the
user’s environment is identical on the new system to the one on the previous system.
To configure an RUP, create a shared folder on a server. Ideally, the server should be
a file server that is frequently backed up.
Note Be sure to configure share permissions allowing Everyone Full Control. The Windows
Server 2003 default share permissions allow Read, which is not sufficient for a roaming pro-
file share.
3-34 Chapter 3 User Accounts
In the Profile tab of the user’s Properties dialog box, type the Profile Path in the format:
<server ><share>%Username%. The %Username% variable will automatically
be replaced with the user’s logon name.
It’s that simple. The next time the user logs on, the system will identify the roaming
profile location.
! Exam Tip Roaming user profiles are nothing more than a shared folder and a path to the
user’s profile folder, within that share, entered into the user object’s profile path property.
Roaming profiles are not, in any way, a property of a computer object.
When the user logs off, the system will upload the profile to the profile server. The user
can now log on to that system or any other system in the domain, and the documents
and settings that are part of the RUP will be applied.
Note Windows Server 2003 introduces a new policy: Only Allow Local User Profiles. This
policy, linked to an OU containing computer accounts, will prevent roaming profiles from being
used on those computers. Instead, users will maintain local profiles.
When a user with an RUP logs on to a new system for the first time, the system does
not copy its Default User profile. Instead, it downloads the RUP from the network loca-
tion. When a user logs off, or when a user logs on to a system on which he or she had
worked before, the system copies only files that have changed.
Note To ensure that laptop users obtain their roaming user profiles correctly, be certain
that they log on while connected to the network at least one time, so that the roaming profile
is downloaded, prior to working offline.
Roaming Profile Synchronization
Unlike previous versions of Microsoft Windows, Windows 2000, Windows XP,
and Windows Server 2003 do not upload and download the entire user profile at
logoff and logon. Instead, the user profile is synchronized. Only files that have
changed are transferred between the local system and the network RUP folder.
This means that logon and logoff with RUPs are significantly faster than with ear-
lier Windows versions. Organizations that have not implemented RUPs for fear of
their impact on logon and network traffic should reevaluate their configuration in
this light.
Lesson 3 Managing User Profiles 3-35
Security Alert The locally cached copy of an RUP is permissioned so that only the user
and the computer’s Administrators group have access to the profile. If other users logging on
to the system are members of the Administrators group, you might wish to prevent them from
accessing the locally cached copies of other users’ roaming profiles. To do so, enable the pol-
icy Delete Cached Copies Of Roaming Profiles in the Computer ConfigurationAdministrative
TemplatesSystemUser Profiles node of a Group Policy Object (GPO).
Creating a Preconfigured User Profile
You can create a customized user profile to provide a planned, preconfigured desktop
and software environment. This is helpful to achieve the following:
■ Provide a productive work environment with easy access to needed network
resources and applications
■ Remove access to unnecessary resources and applications
■ Simplify help desk troubleshooting by enforcing a more straightforward and con-
sistent desktop
No special tools are required to create a preconfigured user profile. Simply log on to a
system and modify the desktop and software settings appropriately. It’s a good idea to
do this as an account other than your actual user account so that you don’t modify your
own profile unnecessarily.
After you’ve created the profile, log on to the system with administrative credentials.
Open System from Control Panel, click the Advanced tab, and then click Settings in the
User Profiles frame. Select the profile you created, and then click Copy To. Type the
Universal Naming Convention (UNC) path to the profile in the format: <server>
<share><username>. In the Permitted To Use section, click Change to select the
user for whom you’ve configured the profile. This sets the ACL on the profile folder to
allow access to that user. Figure 3-5 shows an example. Click OK and the profile is
copied to the network location.
Note You must be a member of the Administrators group to copy a profile.
Finally, open the properties of the user object and, in the Profile tab, enter the same
UNC Profile Path field. Voilà! The next time that user logs on to a domain computer,
that profile will be downloaded and will determine his or her user environment.
3-36 Chapter 3 User Accounts
f03nw05
Figure 3-5 Copying a preconfigured user profile to the network
Tip Be careful with preconfigured roaming profiles, or any roaming profiles, to pay attention
to potential issues related to different hardware on systems to which a user logs on. For exam-
ple, if desktop shortcuts are arranged assuming XGA (1024×768) resolution, and the user
logs on to a system with a display adapter capable of only SVGA (800×600) resolution, some
shortcuts might not be visible.
Profiles are also not fully cross-platform. A profile designed for Windows 98 will not func-
tion properly on a Windows Server 2003 system. You will even encounter inconsistencies
when roaming between Windows Server 2003 systems and Windows XP or Windows 2000
Professional.
Creating a Preconfigured Default Profile
In our introduction to user profiles, we indicated that when a user logs on to a system
for the first time, if that user does not have a roaming user profile or if the folder to
which that user’s roaming user profile is configured is empty, the system copies its
Default User profile as the basis for the user’s initial profile. Therefore, if you wish to
customize the initial environment for all users logging on to a system, you must cus-
tomize the Default User profile on that system.
To do so, follow the steps below, which are explained in the previous section, “Creat-
ing a Preconfigured User Profile.”
1. Create a profile (preferably using a temporary user account so as not to modify
your profile).
2. Log on with a different account that belongs to the Administrators group on the
system.
3. Delete the contents of the existing Default User profile, typically at C:Documents
and SettingsDefault User. Note that this is a hidden folder, so you must have the
Show Hidden Files And Folders option selected in Folder Options from Control
Panel.
Lesson 3 Managing User Profiles 3-37
4. Use the System program in Control Panel to copy the user profile to the Default
User profile, as shown in Figure 3-6. Be certain to indicate that the Everyone
group is Permitted To Use the profile.
f03nw06
Figure 3-6 Copying a preconfigured Default User profile
Users who log on to the system for the first time without an existing user profile will
receive a copy of your preconfigured Default User profile.
If you wish to create a preconfigured Default User profile that will apply to all systems
in your domain, follow the same steps, except copy the profile to the NETLOGON
share of a domain controller, into a subfolder called Default User—for example,
servernameNETLOGONDefault User, where servername is the name of a domain
controller. Domain controllers replicate the contents of their NETLOGON share, so the
Default User profile will replicate to all domain controllers. Computers in the domain
will see the new Default User profile in the NETLOGON share and will replace their
local Default User profile. Then each user who logs on for the first time to any system
in the domain and who does not already have a local or roaming profile will receive a
copy of the profile you configured.
! Exam Tip To create a preconfigured default profile for a single system, replace the com-
puter’s Default User profile. To create a preconfigured default profile for the entire domain,
copy the preconfigured profile to the NETLOGON share into a subfolder named Default User.
There are two important considerations to remember when configuring a domain
Default User profile in the “real world:”
■ The Default User profile in the NETLOGON share of domain controllers replaces
the Default User profile on all systems in the domain, including servers and
domain controllers. This behavior might not be acceptable in your environment.
■ The NETLOGON share of domain controllers is configured with a share permission
that allows only read access. Therefore, to copy the preconfigured profile to a
domain controller, you must either alter the share permissions on the NETLOGON
3-38 Chapter 3 User Accounts
share for the period of time during which you are uploading the profile or copy
the profile to the same location using another share. The default location of the
NETLOGON share on a domain controller is C:windowssysvolsysvolcontoso
.comscripts, where contoso.com is your domain’s DNS name. Therefore, you can
copy the profile to servernamec$windowssysvolsysvolcontoso.comscripts,
where servername is the name of a domain controller. The default administrative
drive share, c$, is configured with permissions that allow administrators write access
to the entire volume.
Creating a Preconfigured Group Profile
Roaming profiles enable you to create a standard desktop environment for multiple
users with similar job responsibilities. The process is similar to creating a preconfigured
user profile except that the resulting profile is made available to multiple users.
Create a profile using the steps outlined above. When copying the profile to the server,
use a path such as: <server><share><group profile name>. You must grant access
to all users who will use the profile, so, in the Permitted To Use frame, click Change
and select a group that includes all the users, or the BUILTINUSERS group, which
includes all domain users. The only users to whom the profile will actually apply are
those for which you configure the user object’s profile path.
After copying the profile to the network, you must configure the profile path for the
users to whom the profile will apply. Windows Server 2003 simplifies this task in that
you can multiselect users and change the profile path for all users simultaneously.
Type the same UNC that you used to copy the profile to the network, for example,
<server><share><group profile name>.
! Exam Tip The profile path is configured as a property of one or more user objects. It is not
assigned to a group object. Although the concept is that of a group profile, do not fall into the
trap of associating the profile with a group object itself.
Finally, because more than one user will be accessing a group profile, you must make
a group profile mandatory, as described in the following section.
Configuring a Mandatory Profile
A mandatory profile does not allow users to modify the profile’s environment. More
specifically, a mandatory profile does not maintain changes between sessions. There-
fore, although a user can make changes, the next time the user logs on, the desktop
will look the same as the last time he or she logged on. Changes do not persist.
Lesson 3 Managing User Profiles 3-39
Mandatory profiles can be helpful in situations in which you want to lock down the
desktop. They are, in a practical sense, critical when you implement group profiles
because you obviously don’t want the changes one user makes to affect the environ-
ments of other users.
To configure a profile as mandatory, simply rename a file in the root folder of the
profile. Interestingly, mandatory profiles are not configured through the application
of permissions. The file you need to rename is Ntuser.dat. It is a hidden file, so you
must ensure that you have enabled the Show Hidden Files And Folders option in the
Folder Options program in Control Panel, or use the attrib command to remove the
Hidden attribute. You might also need to configure Windows Explorer to display file
extensions.
Locate the Ntuser.dat file in the profile you wish to make mandatory. Rename the file
to Ntuser.man. The profile, whether roaming or local, is now mandatory.
Practice: Managing User Profiles
In this practice, you will create roaming and preconfigured roaming user profiles and
mandatory group profiles. You will log on and log off a number of times. Because
standard user accounts are not allowed to log on locally to a domain controller, you
will begin by adding users to the Print Operators group, so that those users can log
on successfully.
Exercise 1: Configure Users to Log On to the Domain Controller
In the real world, you would rarely want users to have permission to log on locally to
a domain controller; however, in our one-system test environment, this capability is
important. Although there are several ways to achieve this goal, the easiest is to add the
Domain Users group to the Print Operators group. The Print Operators group has the
right to log on locally.
1. Open Active Directory Users And Computers.
2. In the tree pane, select the Builtin container.
3. Open the Properties of the Print Operators group.
4. Use the Members tab to add Domain Users to the group.
Exercise 2: Create a Profiles Share
1. Create a Profiles folder on the C drive.
2. Right-click the Profiles folder and choose Sharing and Security.
3. Click the Sharing tab.
4. Share the folder with the default share name: Profiles.
3-40 Chapter 3 User Accounts
5. Click the Permissions button.
6. Select the check box to allow Full Control.
7. Click OK.
Security Alert Windows Server 2003 applies a limited share permission by default when
creating a share. Most organizations follow the best practice, which is to allow Full Control as
a share permission, and to apply specific NTFS permissions to the ACL of the folder using the
Security tab of the folder’s properties dialog box. However, in the event that an administrator
has not locked down a resource before sharing it, Windows Server 2003 errs in favor of secu-
rity, using a share permission that allows Read-Only access.
Exercise 3: Create a User Profile Template
1. Create a user account that will be used solely for creating profile templates. Use
the following guidelines when creating the account:
Text Box Name Type
First Name Profile
Last Name Account
User Logon Name: Profile
User Logon Name (Pre-Windows 2000): Profile
2. Log off of Server01.
3. Log on as the Profile account.
4. Customize the desktop. You might create shortcuts to local or network resources
such as creating a shortcut to the C drive on the desktop.
5. Customize the desktop using the Display application in Control Panel. On the
Desktop page of the Display Properties dialog box, you can configure the desktop
background and, by clicking Customize Desktop, add the My Documents, My
Computer, My Network Places, and Internet Explorer icons to the desktop.
6. Log off as the Profile account.
Exercise 4: Set Up a Preconfigured User Profile
1. Log on as Administrator.
2. Open System Properties from Control Panel by double-clicking System.
3. Click the Advanced tab.
4. In the User Profiles frame, click Settings. This opens the Copy To dialog box.
Lesson 3 Managing User Profiles 3-41
5. Select the Profile account’s user profile.
6. Click Copy To.
7. In the Copy Profile To frame, type server01profileshcarbeck.
8. In the Permitted To Use section, click Change.
9. Type Hank and click OK.
10. Confirm the entries in the Copy To dialog box and click OK.
11. After the profile has copied to the network, click OK twice to close the User Pro-
files and System Properties dialog boxes.
12. Open the C:Profiles folder to verify that the profile folder “Hcarbeck” was created.
13. Open Active Directory Users And Computers and, in the tree pane, select the
Employees OU.
14. Open the properties of Hank Carbeck’s user object.
15. Click the Profile tab.
16. In the Profile Path field, type server01profiles%username%.
17. Click Apply and confirm that the %Username% variable was replaced by hcarbeck.
It is important that the profile path match the actual network path to the profile
folder.
18. Click OK.
19. Test the success of the preconfigured roaming user profile by logging off and log-
ging on with the user name hank.carbeck@contoso.com. You should see the desk-
top modifications that you made while logged on as the Profile account.
Exercise 5: Set Up a Preconfigured, Mandatory Group Profile
1. Log on as Administrator.
2. Open System Properties from Control Panel by double-clicking System.
3. Click the Advanced tab.
4. In the User Profiles frame, click Settings.
5. Select the Profile account’s user profile.
6. Click Copy To.
7. In the Copy Profile To frame, type server01profilessales.
8. In the Permitted To Use frame, click Change.
9. Type Users and then click OK.
10. Confirm the entries in the Copy To dialog box and then click OK.
3-42 Chapter 3 User Accounts
11. After the profile has copied to the network, click OK twice to close the User Pro-
files and System Properties dialog boxes.
12. Open the C:Profiles folder to verify that the profile folder Sales was created.
13. Open Folder Options in Control Panel and, in the View tab, under Advanced Set-
tings, ensure that the option, Show Hidden Files And Folders, is selected.
14. Open the C:ProfilesSales folder and rename the file Ntuser.dat to Ntuser.man.
This makes the profile mandatory.
15. Open Active Directory Users And Computers and, in the tree pane, select the
Employees OU.
16. In the details pane, select the following objects by clicking the first and pressing
the CTRL key while selecting additional objects: Scott Bishop, Danielle Tiedt, Lor-
rin Smith-Bates.
17. Click the Action menu and choose Properties.
18. Click the Profile tab, and then select the Profile Path check box.
19. In the Profile Path field, type server01profilessales.
20. Click OK.
21. Test the success of the preconfigured roaming user profile by logging off and log-
ging on with the user name danielle.tiedt@contoso.com.
22. Test the mandatory nature of the profile by making a change to the desktop
appearance. You will be able to make the change, but the change will not persist
to future sessions.
23. Log off the computer, and then log on again as Danielle Tiedt. Because the profile
is mandatory, the changes you made in the previous step should not appear.
24. Log off the computer, and log on again as Scott Bishop, with user name
scott.bishop@contoso.com. The same desktop should appear.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. Describe how a user’s desktop is created when RUPs are not implemented.
Lesson 3 Managing User Profiles 3-43
2. Arrange, in order, the steps that reflect the creation of a preconfigured roaming
user profile. Use all steps provided.
❑ Customize the desktop and user environment.
❑ Log on as a user with sufficient permissions to modify user account proper-
ties.
❑ Copy the profile to the network.
❑ Create a user account so that the profile can be created without modifying
any user’s current profile.
❑ Log on as the profile account.
❑ Enter the UNC path to the profile in a user’s Profile property sheet.
❑ Log on as a local or domain administrator.
3. How do you make a profile mandatory?
a. Configure the permissions on the folder’s Security property sheet to deny
write permission.
b. Configure the permissions on the folders Sharing property sheet to allow only
read permission.
c. Modify the attributes of the profile folder to specify the Read Only attribute.
d. Rename Ntuser.dat to Ntuser.man.
Lesson Summary
■ Windows Server 2003 provides individual profiles for each user who logs on to the
system. Profiles are stored, by default, on the local system in %Systemdrive%
Documents and Settings%Username%.
■ Roaming profiles require only a shared folder and the profile path configured in
the user object’s properties.
■ Preconfigured profiles are simply profiles that are copied to the profile path before
the profile path is configured in the user object.
■ Group profiles must be made mandatory, by renaming Ntuser.dat to Ntuser.man,
so that changes made by one user do not affect other users.
3-44 Chapter 3 User Accounts
Lesson 4: Securing and Troubleshooting Authentication
After you have configured user objects, and users are authenticating against those
accounts, you expose yourself to two additional challenges: security vulnerabilities,
which if unaddressed could compromise the integrity of your enterprise network; and
social engineering challenges, as you work to make the network, and authentication in
general, friendly and reliable for users. Unfortunately, these two dynamics are at odds
with each other—the more secure a network, the less usable it becomes. In this lesson,
we will address issues related to user authentication. You will learn the impact of
domain account policies, including password policies and account lockout policies.
You will also learn how to configure auditing for logon-related events, and to perform
various authentication-related tasks on user objects.
After this lesson, you will be able to
■ Identify domain account policies and their impact on password requirements and
authentication
■ Configure auditing for logon events
■ Modify authentication-related attributes of user objects
Estimated lesson time: 15 minutes
Securing Authentication with Policy
Active Directory on Windows Server 2003 supports security policies to strengthen pass-
words and their use within an enterprise. Of course, you must design a password pol-
icy that is sufficiently daunting to attackers while being sufficiently convenient for
users, so that they do not forget passwords (resulting in increased calls to the help
desk) or, worse, write down their passwords.
A system running Windows Server 2003 as a member server maintains a policy related
to its local user accounts. The local security policy can be managed using the appro-
priately named snap-in: Local Security Policy.
You will more often be concerned with the policy that affects domain user objects.
Domain account policy is managed by the Default Domain Policy. To examine and
modify this policy, do one of the following:
■ Open Domain Security Policy from the Administrative Tools folder.
■ Open the Group Policy Management Console (GPMC), expand the Group Policy
Objects node within the domain, right-click the Default Domain Policy GPO, and
choose Edit.
Lesson 4 Securing and Troubleshooting Authentication 3-45
■ If the GPMC is not installed, open the Active Directory Users And Computers MMC
console or snap-in. Select the domain node and choose Properties from the Action
menu or the shortcut menu. Click the Group Policy tab. Select Default Domain
Policy and click Edit.
The Group Policy Object Editor console opens, focused on the Default Domain pol-
icy. Navigate to Computer Configuration, Windows Settings, Security Settings,
Account Policies.
Password Policy
The domain password policies enable you to protect your network against password
compromise by enforcing best-practice password management techniques. The poli-
cies are described in Table 3-5.
Table 3-5 Password Policies
Policy Description
Enforce Password History When this policy is enabled, Active Directory maintains a list of
recently used passwords and will not allow a user to create a pass-
word that matches a password in that history. The result is that a
user, when prompted to change his or her password, cannot use
the same password again, and therefore cannot circumvent the
password lifetime. The policy is enabled by default, with the maxi-
mum value of 24. Many IT organizations use a value of 6 to 12.
Maximum Password Age This policy determines when users will be forced to change their
passwords. Passwords that are unchanged or infrequently changed
are more vulnerable to being cracked and used by attackers to
impersonate a valid account. The default value is 42 days. IT orga-
nizations typically enforce password changes every 30 to 90 days.
Minimum Password Age When users are required to change their passwords—even when a
password history is enforced—they can simply change their pass-
words several times in a row to circumvent password requirements
and return to their original passwords. The Minimum Password Age
policy prevents this possibility by requiring that a specified number
of days must pass between password changes. Of course, a pass-
word can be reset at any time in Active Directory by an administra-
tor or support person with sufficient permissions. But the user
cannot change his or her password more than once during the time
period specified by this setting.
Minimum Password This policy specifies the minimum number of characters required in
Length a password. The default in Windows Server 2003 is seven.
3-46 Chapter 3 User Accounts
Table 3-5 Password Policies
Policy Description
Passwords Must Meet This policy enforces rules, or filters, on new passwords.
Complexity Requirements The default password filter in Windows Server 2003 (passfilt.dll)
requires that a password:
Is not based on the user’s account name.
Is at least six characters long.
Contains characters from three of the following four character
types:
Uppercase alphabet characters (A…Z)
Lowercase alphabet characters (a…z)
Arabic numerals (0…9)
Nonalphanumeric characters (for example, !$#,%)
Windows Server 2003 enables this policy by default.
Note Configuring password length and complexity requirements does not affect existing
passwords. These changes will affect new accounts and changed passwords after the policy
is applied.
Account Lockout Policy
Account lockout refers, in its broadest sense, to the concept that after several failed
logon attempts by a single user, the system should assume that an attacker is attempt-
ing to compromise the account by discovering its password and, in defense, should
lock the account so no further logons may be attempted. Domain account lockout pol-
icies determine the limitations for invalid logons, expressed in a number of invalid
logons in a period of time, and the requirements for an account to become unlocked,
whether by simply waiting or by contacting an administrator. Table 3-6 summarizes
Account Lockout policies.
Table 3-6 Account Lockout Policies
Policy Description
Account Lockout This policy configures the number of invalid logon attempts that will
Threshold trigger account lockout. The value can be in the range of 0 to 999. A
value that is too low (as few as three, for example) might cause lockouts
due to normal, human error at logon. A value of 0 will result in accounts
never being locked out.
The lockout counter is not affected by logons to locked workstations.
Lesson 4 Securing and Troubleshooting Authentication 3-47
Table 3-6 Account Lockout Policies
Policy Description
Account Lockout This policy determines the period of time that must pass after a lockout
Duration before Active Directory will automatically unlock a user’s account. The
policy is not set by default because it is useful only in conjunction with
the Account Lockout Threshold policy. The policy accepts values rang-
ing from 0 to 99999 minutes, or about 10 weeks. A value of 0 will
require the user to contact appropriate administrators to unlock the
account manually. Although a value of 0 sounds secure and is often
touted as a best practice, it is in fact not recommended because it pro-
vides attackers the ability to cause Denial Of Service (DoS) failures by
locking out service, user, or computer accounts. Instead, a low setting (5
to 15 minutes) is sufficient to reduce account attacks significantly with-
out allowing lengthy DoS and without unreasonably affecting legitimate
users who are mistakenly locked out.
Reset Account This setting specifies the time that must pass after an invalid logon
Lockout Counter attempt before the counter resets to zero. The range is 1 to 99999 min-
After utes, and must be less than or equal to the account lockout duration.
Cross-Platform Issues
Organizations commonly implement a mix of directory service, server, and client
platforms. In environments in which Windows 95, Windows 98, Windows Me, or
Windows NT 4 participate in an Active Directory domain, administrators need to
be aware of several issues.
■ Passwords: Although Windows 2000, Windows XP Professional, and Windows
Server 2003 support 127-character passwords, Windows 95, Windows 98, and
Windows ME support only 14-character passwords.
■ Active Directory Client: The Active Directory Client can be downloaded from
Microsoft’s Web site and installed on Windows 95, Windows 98, Windows Me, and
Windows NT 4 systems. It enables those platforms running previous editions of
Windows to participate in many Active Directory features available to Windows
2000 Professional or Windows XP Professional, including the following:
❑ Site-awareness: a system with the Active Directory Client will attempt to log
on to a domain controller in its site, rather than to any domain controller in
the enterprise.
❑ Active Directory Service Interfaces (ADSI): use scripting to manage Active
Directory.
3-48 Chapter 3 User Accounts
❑ Distributed File System (DFS): access DFS shared resources on servers run-
ning Windows 2000 and Windows Server 2003.
❑ NT LAN Manager (NTLM) version 2 authentication: use the improved authen-
tication features in NTLM version 2.
❑ Active Directory Windows Address Book (WAB): property pages
❑ Active Directory search capability integrated into the Start–Find or Start–Search
commands.
The following functionalities, supported on Windows 2000 Professional and Windows
XP Professional, are not provided by the Active Directory client on Windows 95,
Windows 98, and Windows NT 4:
■ Kerberos V5 authentication
■ Group Policy or Change and Configuration Management support
■ Service principal name (SPN), or mutual authentication.
In addition, you should be aware of the following issues in mixed environments:
■ Without the Active Directory client, users on systems using versions of Windows
earlier than Windows 2000 can change their password only if the system has
access to the domain controller performing the single master operation called pri-
mary domain controller (PDC) emulator. To determine which system is the PDC
emulator in a domain, open Active Directory Users And Computers, select the
domain node, choose the Operations Masters command from the Action menu,
and then click the PDC tab. If the PDC emulator is unavailable (that is, if it is
offline or on the distant side of a downed network connection), the user cannot
change his or her password.
■ As you have learned in this chapter, user objects maintain two user logon name
properties. The Pre-Windows 2000 logon name, or SAM name, is equivalent to the
user name in Windows 95, Windows 98, or Windows NT 4. When users log on,
they enter their user name and must select the domain from the Log On To box.
In other situations, the user name may be entered in the format <DomainName>
<UserLogonName>.
Users logging on using Windows 2000 or later platforms may log on the same way, or
they may log on using the more efficient UPN. The UPN takes the format <UserLogon
Name>@<UPN Suffix>, where the UPN suffix is, by default, the DNS domain name in
which the user object resides. It is not necessary to select the domain from the Log On To
box when using UPN logon. In fact, the box becomes disabled as soon as you type the
“@” symbol.
Lesson 4 Securing and Troubleshooting Authentication 3-49
Auditing Authentication
If you are concerned that attacks might be taking place to discover user passwords, or
to troubleshoot authentication problems, you can configure an auditing policy that will
create entries in the Security log that might prove illuminating.
Audit Policies
The following policies are located in the Computer Configuration, Windows Settings,
Security Settings, Local Policies, Audit Policy node of Group Policy Object Editor (or
the Local Security Policy snap-in). You can configure auditing for successful or failed
events.
■ Audit Account Management Configures auditing of activities, including the
creation, deletion, or modification of user, group, or computer accounts. Password
resets are also logged when account management auditing is enabled.
■ Audit Account Logon Events This policy audits each instance of user logon
that involves domain controller authentication. For domain controllers, this policy
is defined in the Default Domain Controllers GPO. Note, first, that this policy will
create a Security log entry on a domain controller each time a user logs on inter-
actively or over the network using a domain account. Second, remember that to
evaluate fully the results of the auditing, you must examine the Security logs on all
domain controllers because user authentication is distributed among each domain
controller in a site or domain.
■ Audit Logon Events Logon events include logon and logoff, interactively or
through network connection. Account logon events are generated on the local
computer for local accounts and on the domain controller for network accounts,
whereas logon events are generated wherever the logon occurs. If you have
enabled Audit Logon Events policy for successes on a domain controller, worksta-
tion logons will not generate logon audits. Only interactive and network logons to
the domain controller itself generate logon events.
Tip Keep track of the distinction between Account Logon and Logon events. When a user
logs on to his or her workstation using a domain account, the workstation registers a Logon
event and the domain controller registers an Account Logon event. When the user connects to
a network server’s shared folder, the server registers a Logon event and the domain controller
registers an Account Logon event.
3-50 Chapter 3 User Accounts
Security Event Log
After you have configured auditing, the security logs will begin to fill with event mes-
sages. You can view these messages by selecting the Security log in the Event Viewer
snap-in and then double-clicking the event.
! Exam Tip Remember that you will need to monitor Account Logon events on each domain
controller to determine if and when a user attempts to log on using a domain account. You
must monitor Logon events on systems to determine if and when a user attempts to log on to
or connect to those systems using either a domain or local account.
Administering and Troubleshooting User Authentication
When users forget their passwords, are transferred or terminated, you will have to
manage their user objects appropriately. The most common administrative tasks related
to user account security are unlocking an account, resetting a password, disabling,
enabling, renaming, and deleting user objects.
Unlocking a User Account
The account lockout policy requires that when a user has exceeded the limit for invalid
logon attempts, the account is locked and no further logons can be attempted for a
specified period of time or until an administrator has unlocked the account. If a user
account is locked out, the user will receive a specific error message at logon, as shown
in Figure 3-7.
f03nw07
Figure 3-7 Logon message indicating the user’s account is locked out
To unlock a user’s account, select the user object and, from the Action menu, choose
Properties. Click the Account tab and clear the check box: Account Is Locked Out.
Lesson 4 Securing and Troubleshooting Authentication 3-51
Resetting User Passwords
If a user forgets his or her password, the user will receive a logon message, as shown
in Figure 3-8. You must reset the password. You do not need to know the user’s old
password to do so. Simply select the user object and, from the Action menu or the
shortcut menu, choose the Reset Password command. Enter the new password twice to
confirm the change, and as a security best practice, select the User Must Change Pass-
word At Next Logon option.
f03nw08
Figure 3-8 Logon message indicating the username or password is invalid
Tip A few days prior to a user’s password expiration, the user will begin to be notified that
the password should be changed. If the user does not heed the notifications or does not
receive them because the user is not connected to the network or is out of the office, the
password will expire. After a password has expired, if the user is unable to log on, the user
will not be able to change his or her password. In such an event an administrator must reset
the user’s password. Again, a best practice is to select the User Must Change Password At
Next Logon option.
Disabling, Enabling, Renaming, and Deleting User Objects
Personnel changes might require you to disable, enable, or rename a user object. The
process for doing so is similar for each action. Select the user and, from the Action
menu, choose the appropriate command, as follows:
■ Disabling And Enabling A User When a user does not require access to the
network for an extended period of time, you should disable the account. Reenable
the account when the user needs to log on once again. Note that only one of the
commands to Disable or Enable will appear on the Action menu depending on the
current status of the object.
3-52 Chapter 3 User Accounts
If a user attempts to log on when his or her account is disabled, the user will
receive the error message shown in Figure 3-9.
f03nw09
Figure 3-9 Logon message indicating the user’s account is disabled
■ Deleting A User When a user is no longer part of your organization, and there
will not soon be a replacement, delete the user object. Remember that by deleting
a user, you lose its group memberships and, by deleting the SID, its rights and per-
missions. If you recreate a user object with the same name, it will have a different
SID, and you will have to reassign rights, permissions, and group memberships.
■ Renaming A User You will rename a user if a user changes his or her name,
for example through marriage, or in the event that a user is no longer part of
your organization, but you are replacing that user and you want to maintain the
rights, permissions, group memberships, and most of the user properties of the
previous user.
If a user attempts to log on to an account that has been deleted or renamed, the
user will be logging on with an invalid user name. The error message the user
receives, shown in Figure 3-8, is the same message displayed if the user enters an
invalid password.
! Exam Tip Be certain to understand the difference between disabling and deleting an
object; and between enabling and unlocking a user.
It is also possible that user or computer account configuration in Active Directory
might prevent a user from logging on. The following sections address common authen-
tication troubleshooting scenarios.
Lesson 4 Securing and Troubleshooting Authentication 3-53
Modifying Account Expiration
If a user account has expired, the user will receive a logon message that says, “Your
account has expired. Please see your system administrator.” You may reactivate the
account by opening the user’s Properties dialog box and clicking the Account tab,
shown in Figure 3-4. In the Account Expires section, either select Never to indicate that
the user account will not expire or configure an expiration date in the future.
Changing or Removing Computer Restrictions
Computer restrictions, introduced in Lesson 1, limit the computers to which a user may
log on. By default, users may log on to any workstation in the domain. They can be
restricted by clicking the Log On To button in the Account tab of the user Properties
dialog box, shown in Figure 3-4. If a user who has computer restrictions configured
attempts to log on to a computer that is not allowed by computer restrictions, the user
will receive the message illustrated in Figure 3-10. To troubleshoot this scenario, do
one of the following:
■ Instruct the user to log on to an allowed workstation.
■ Add the workstation to the user’s list of allowed workstations. In the user’s Prop-
erties dialog box, click Log On To and add the workstation name.
■ Remove all computer restrictions by clicking the Log On To button in the user’s
Account properties page and select All Computers, as shown in Figure 3-11. This
will ensure that the user account allows the user to log on to any client computer
on the network.
f03nw10
Figure 3-10 Logon message indicating the user is restricted from logging on to the computer
3-54 Chapter 3 User Accounts
f03nw11
Figure 3-11 Computer restrictions dialog box
Granting the User Right to Log On Locally
The user’s ability to log on to a system is also subject to the system’s user rights assign-
ment security policy that allows local, or interactive, logon. By default, the local Users
group, which includes Domain Users, is allowed the right to log on locally to all mem-
ber servers and workstations but not to domain controllers. Therefore, users should be
able to log on to any member server or workstation in the domain. If this default has
been modified, a user might not have the right to log on locally to a computer. The
user will receive a logon message, as shown in Figure 3-12.
f03nw12
Figure 3-12 Logon message indicating the user does not have the right to log on locally
To solve this problem, ensure that the appropriate groups have the right to log on
locally to the computer. To examine the computer’s security policies, open the Local
Security Policy MMC console from the Administrative Tools program group if the com-
puter is a member server or workstation—or the Domain Controller Security Policy if
Lesson 4 Securing and Troubleshooting Authentication 3-55
the computer is a domain controller. Expand Local Policies and select User Rights
Assignment. The policy is called Log On Locally on a Windows XP system and Allow
Log On Locally on a Windows Server 2003 system.
It is also possible that a GPO has configured the right to log on locally. The analysis of
GPO application using Resultant Set of Policies (RSoP) is beyond the scope of this
book, so consult the Windows Help And Support Center to learn how to use RSoP to
identify which GPO you must modify to enable the user to log on locally.
Managing User Logon Hours
You can configure a user account to permit or deny logon during a particular time
period using the Logon Hours button on the user’s Account properties page, shown in
Figure 3-4. If a user attempts to log on to a system when logon is denied, the user
receives an error message, as shown in Figure 3-13. The user will not be able to log on
to a computer during denied hours.
f03nw13
Figure 3-13 Logon message indicating that the user is logging on outside of permitted logon hours
If the user is already logged on to a system when his or her logon hours expire, the
user is not forced off the system. There is no capability native to Windows operating
systems to force a user to log off a system to which the user is logged on.
However, it is possible, using security policies, to disconnect a user from network
resources when the user’s logon hours expire. The result of this configuration is that,
when logon hours expire, the user can no longer access resources on member servers
or workstations in the domain but is able to continue working on the local system.
To forcibly disconnect a user from network resources, enable the policy setting: Net-
work Security: Force Logoff When Logon Hours Expire. This policy setting is found in
the Local Policies Security Options node of a GPO. It is recommended to configure
this policy in a GPO with domain-wide scope, such as the Default Domain Policy GPO,
which you can open using the Domain Security Policy MMC console in the Adminis-
trative Tools folder.
3-56 Chapter 3 User Accounts
Preventing Users from Logging On with Cached Credentials
When a user logs on successfully to a Windows operating system, the computer caches
the user’s credentials (including the user’s username and password). This allows the
user to log on even if the computer cannot contact a domain controller, which has
obvious value for laptop users who work offline. In certain environments, or on certain
systems, you might wish to prevent users from logging on with cached credentials—in
other words, require their computers to be connected to the network and to be able to
contact a domain controller. To achieve this configuration, enable the security policy:
Interactive Logon: Number Of Previous Logons To Cache. You can find this policy in
the Computer Configuration Windows Settings Security Settings Local Policies
Security Options node of a GPO.
Practice: Securing and Troubleshooting Authentication
In this practice, you will configure domain auditing policies. You will then generate
logon events. Finally, you will examine and troubleshoot the results of those logons.
Exercise 1: Configure Policies
1. Open Active Directory Users And Computers.
2. Select the domain node, contoso.com.
3. From the Action menu, choose Properties.
4. On the Group Policy tab, select Default Domain Policy and then click Edit.
5. Navigate to Computer Configuration, Windows Settings, Security Settings, Account
Policies, and, finally, Account Lockout Policy.
6. Double-click the Account Lockout Duration policy.
7. Select the Define This Policy Setting check box.
8. Type 0 for the duration, and then click Apply.
The system will prompt you that it will configure the account lockout threshold
and reset counter policies. Click OK.
9. Click OK to confirm the settings, and then click OK to close the Policy dialog box.
10. Confirm that the Account Lockout Duration policy is zero, the threshold is 5, and
the reset counter policy is 30 minutes.
11. Close the Group Policy Object Editor window.
12. Click OK to close the Properties dialog box for the contoso.com domain.
13. Select the Domain Controllers container, under the domain node.
14. From the Action menu, click Properties.
Lesson 4 Securing and Troubleshooting Authentication 3-57
15. On the Group Policy tab, select Default Domain Controllers Policy and click Edit.
16. Navigate to Computer Configuration, Windows Settings, Security Settings, Local
Policies, and, finally, Audit Policy.
17. Double-click the Audit Account Logon Events policy.
18. Select Define These Policy Settings, select both Success and Failure, and then
click OK.
19. Double-click the Audit Logon Events policy.
20. Select Define These Policy Settings, select both Success and Failure, and then
click OK.
21. Double-click the Audit Account Management policy.
22. Select Define These Policy Settings, select Success, and then click OK.
23. Close the Group Policy Object Editor window.
24. Click OK to close the Properties dialog box for the Domain Controllers Properties
dialog box.
Exercise 2: Generate Logon Events
1. Log off Server01.
2. Generate two logon failure events by attempting to log on twice with the user-
name sbishop and an invalid password.
3. Log on correctly as sbishop.
4. Log off.
Exercise 3: Generate Account Management Events
1. Log on as Administrator.
2. Open Active Directory Users And Computers.
3. In the tree pane, navigate to and select the Employees OU.
4. In the details pane, select Scott Bishop’s user object, and then click the Action
menu.
5. Click the Reset Password command.
6. Enter and confirm a new password for Scott Bishop, and then click OK.
Exercise 4: Examine Authentication Security Event Messages
1. Open the Computer Management console from the Administrative Tools group.
2. Expand Event Viewer and select Security.
3-58 Chapter 3 User Accounts
3. Make sure the Category column is wide enough that you can identify the types of
events that are logged.
4. Explore the events that have been generated by recent activity. Note the failed
logons, the successful logons, and the resetting of Scott Bishop’s password.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. You enable the password complexity policy for your domain. Describe the
requirements for passwords, and when those requirements will take effect.
2. To monitor potential dictionary attacks against user passwords in your enterprise,
what is the single best auditing policy to configure, and what log or logs will you
evaluate?
3. A user has forgotten his or her password and attempts to log on several times with
an incorrect password. Eventually, the user receives a logon message indicating
that the account is either disabled or locked out. The message suggests that the
user contact an administrator. What must you do? (Choose all that apply.)
a. Delete the user object and recreate it.
b. Rename the user object.
c. Enable the user object.
d. Unlock the user object.
e. Reset the password for the user object.
Lesson Summary
■ The Default Domain Policy drives account policies, including the password and
lockout policies.
■ The Default Domain Controllers Policy specifies key auditing policies for domain
controllers.
Chapter 3 User Accounts 3-59
■ Auditing for authentication generates events in each domain controller’s secu-
rity logs.
Case Scenario Exercise
One of Contoso’s competitors recently made the news as a recent victim of a breach of
password security that exposed its sensitive data. You decide to audit Contoso’s secu-
rity configuration and you set forth the following requirements:
■ Requirement 1: Because you upgraded your domain controllers from Windows
2000 Server to Windows Server 2003, the domain account policy remained that of
Windows 2000 Server. The domain account policies shall require:
❑ Password changes every 60 days
❑ 8-character passwords
❑ Password complexity
❑ Minimum password duration of one week
❑ Password history of 20 passwords
❑ Account lockout after five invalid logon attempts in a 60-minute period
❑ Administrator intervention to unlock locked out accounts
■ Requirement 2: In addition, ensure that these policies take effect within 24 hours.
Password policies are implemented when a user changes his or her password—
the policies do not affect existing passwords. So you require that users change
their passwords as quickly as possible. You do not want to affect accounts used
by services. Service accounts are stored in Contoso’s Service Accounts OU. User
accounts are stored in the Employees OU and 15 OUs located under the
Employees OU.
■ Requirement 3: Lock down the desktops of the sales representatives so that they
are less likely to install customized Web toolbars, weather watchers, wallpaper-of-
the-day utilities, or other software that might connect to the Internet and expose
the desktop to attack.
Requirement 1
The first requirement involves modifying password and account lockout settings.
1. What should be modified to achieve Requirement 1?
a. The domain controller security template Hisecdc.inf
b. The Default Domain policy
3-60 Chapter 3 User Accounts
c. The Default Domain Controller policy
d. The domain controller security template Setup Security.inf
2. To configure account lockout so that users must contact the Help Desk to unlock
their accounts, which policy should be specified?
a. Account lockout duration: 999
b. Account lockout threshold: 999
c. Account lockout duration: 0
d. Account lockout threshold: 0
Configure the appropriate domain policies. For guidance, refer to Lesson 4, Exercise 1.
Requirement 2
Requirement 2 indicates that you want to force users to change their password as
quickly as possible. You know that user accounts include the flag User Must Change
Password At Next Logon.
1. What will be the fastest and most effective means to configure user accounts to
require a password change at the next logon?
a. Select a user account. Open its properties and, on the Account page, select
User Must Change Password At Next Logon. Repeat for each user account.
b. Press CTRL+A to select all users in the Employees OU. Choose the Properties
command and, on the Account page, select User Must Change Password At
Next Logon. Repeat for each OU.
c. Use the Dsadd command.
d. Use the Dsrm command.
e. Use the Dsquery and Dsmod commands.
2. The Dsquery command allows you to create a list of objects based on those
objects’ locations or properties and pipe those objects to the Dsmod command,
which then modifies the objects. Open a command prompt and type the following
command:
DSQUERY user “OU=Employees,DC=Contoso,DC=Com”
The command will produce a list of all user objects in the Employees OU. An
advantage of this command is that it would include users in sub-OUs of the
Employees OU. The requirement indicates that you have 15 OUs under the
Employees OU. All would be included in the objects generated by Dsquery.
Now, to meet the requirement, type the following command:
DSQUERY user “OU=Employees,DC=Contoso,DC=Com” | DSMOD user -mustchpwd yes
Chapter 3 User Accounts 3-61
Requirement 3
This requirement suggests that you modify the user profiles of the sales representatives.
1. What type of profile will be most useful to maintain a locked-down desktop com-
mon to all sales representatives?
a. Local profile
b. Local, mandatory profile
c. The All Users profile
d. Preconfigured roaming group profile
e. Preconfigured roaming mandatory group profile
2. In Lesson 3, Exercise 5, you created a profile called Sales. You made it a manda-
tory profile by renaming Ntuser.dat to Ntuser.man. Finally, you assigned it to sev-
eral users. How can you ensure that each new sales representative uses the same
profile?
Troubleshooting Lab
In this lab, you will generate several types of logon and account-related failures. You
will then identify the causes of those failures and correct them accordingly.
Before proceeding with this lab, you must have user accounts created. The user
accounts mentioned in the lab are those generated in Lesson 2, Exercise 3. You must
also have configured the domain account policies as in Lesson 4, Exercise 1.
Exercise 1: Generate Logon and Account Failures
1. Log off Server01.
2. Generate an account lockout by logging on six times with the username lsmith-
bates and an invalid password. Notice the difference between the Logon Mes-
sages you receive after the attempts and the Logon Message you receive after the
account has been locked out.
3. Log on as Danielle Tiedt with username dtiedt.
4. Press CTRL+ALT+DELETE and change the password to a new password.
5. Press CTRL+ALT+DELETE and try to change the password to the original password.
Is it possible? Why or why not?
6. Try to change the password to yet another new password. Is that possible? Why or
why not?
7. Log off.
3-62 Chapter 3 User Accounts
Exercise 2: Monitor and Identify Logon and Account Management Events
1. Log on as Administrator.
2. Open the Computer Management console from the Administrative Tools group.
3. Expand the Event Viewer and select Security.
4. Make sure the Category column is wide enough that you can identify the types of
events that are logged.
5. Explore the events that have been generated by recent activity. Notice the failed
logon attempts, the lockout, and the attempts to reset Danielle Tiedt’s password.
Exercise 3: Correct Authentication and Account Problems
1. Open Active Directory Users And Computers.
2. In the tree pane, navigate to and select the Employees OU.
3. In the details pane, select Danielle Tiedt’s user object.
4. From the Action menu, click Reset Password.
5. Type Danielle Tiedt’s original password as the new password. Why are you able
to change the password when, while logged on as Danielle Tiedt, you could not?
6. Select Lorrin Smith-Bates’s user object.
7. From the Action menu, click Properties.
8. In the Account tab, clear the Account Is Locked Out check box.
9. Click OK.
Chapter Summary
■ You must be a member of the Enterprise Admins, Domain Admins, or Account
Operators groups, or you must have been delegated administrative permissions to
create user objects.
■ User objects include the properties typically associated with a user “account,”
including logon names and password and the unique SID for the user. They also
include a number of properties related to the individuals they represent, including
personal information, group membership, and administrative settings. Windows
Server 2003 allows you to change some of these properties for multiple users
simultaneously.
■ A user object template is an object that is copied to produce new users. If the tem-
plate is not a “real” user, it should be disabled. Only a subset of user properties is
copied from templates.
Chapter 3 User Accounts 3-63
■ The Csvde command enables you to import directory objects from a comma-
delimited text file.
■ Windows Server 2003 supports powerful new command-line tools to create, man-
age, and delete directory objects: Dsquery, Dsget, Dsadd, Dsmove, Dsmod, and
Dsrm. Frequently, Dsquery will produce a result set of objects that can be piped
as input to other commands.
■ Windows Server 2003 provides individual profiles for each user who logs on to the
system. Profiles are stored, by default, on the local system in %Systemdrive%
Documents and Settings%Username%.
■ Roaming profiles require only a shared folder, and the profile path configured in
the user object’s properties.
■ Preconfigured profiles are simply profiles that are copied to the profile path before
the profile path is configured in the user object.
■ Group profiles must be made mandatory, by renaming Ntuser.dat to Ntuser.man,
so that changes made by one user do not affect other users.
■ The Default Domain Policy drives account policies, including the password and
lockout policies, whereas the Default Domain Controllers Policy specifies key
auditing policies for domain controllers.
■ Auditing for authentication generates events in each domain controller’s security
logs.
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice and review the “Further Readings” sections in Part 2 for pointers to more informa-
tion about topics covered by the exam objectives.
Key Points
■ The group memberships or permissions, or both, required to create user accounts.
■ The options at your disposal for creating or managing multiple user accounts: user
templates, importing, and command-line utilities. Understand the differences
among the options, and the relative strengths and weaknesses of each option.
■ The properties that can be accessed or modified, or both, when creating a user,
modifying a user in Active Directory Users And Computers, copying a template,
querying with Dsquery, or adding and modifying users with Dsadd and Dsmod.
■ The process for configuring a roaming user profile, a preconfigured roaming user
profile, or a preconfigured, mandatory group profile.
3-64 Chapter 3 User Accounts
■ The impact of Group Policy on password and account lockout settings.
■ How to audit authentication events.
Key Terms
user account template You might hear this referred to by other terms, but the idea
is the same. A template account is used as the basis for new accounts. It is copied
to create a new user, and some of its properties, most notably its group member-
ships, are copied as well.
disabled account versus locked account An account is disabled if it has expired or
if it has been disabled by an administrator. An account is locked out if it has been
subject to invalid logons beyond the threshold specified by the account lockout
policy.
mandatory profile A user profile that does not maintain modifications between ses-
sions. A user can modify a mandatory profile, but users’ changes are not saved
when they log off. Group profiles must be made mandatory, or a change made by
one user will affect all users.
Questions and Answers 3-65
Questions and Answers
Page Lesson 1 Review
3-13
1. You are using Active Directory Users And Computers to configure user objects in
your domain, and you are able to change the address and telephone number
properties of the user object representing yourself. However, the New User com-
mand is unavailable to you. What is the most likely explanation?
You do not have sufficient privileges to create a user object in the container. The snap-in’s com-
mands will adjust to reflect your administrative capabilities. If you do not have the right to cre-
ate an object, the appropriate New command will be unavailable.
2. You are creating a number of user objects for a team of your organization’s tem-
porary workers. They will work daily from 9:00 A.M. to 5:00 P.M. on a contract that
is scheduled to begin in one month and end two months later. They will not work
outside of that schedule. Which of the following properties should you configure
initially to ensure maximum security for the objects? (Choose all that apply.)
a. Password
b. Logon Hours
c. Account expires
d. Store password using reversible encryption
e. Account is trusted for delegation
f. User must change password at next logon
g. Account is disabled
h. Password never expires
The correct answers are a, b, c, f, g.
3. Which of the following properties and administrative tasks can be configured or
performed simultaneously on more than one user object? (Choose all that apply.)
a. Last Name
b. User Logon Name
c. Disable Account
d. Enable Account
e. Reset Password
f. Password Never Expires
g. User Must Change Password At Next Logon
3-66 Chapter 3 User Accounts
h. Logon Hours
i. Computer Restrictions (Logon Workstations)
j. Title
k. Direct Reports
The correct answers are c, d, f, g, h, i, j.
Page Lesson 2 Review
3-30
1. What option will be most useful to generate 100 new user objects, each of which
has identical profile path, home folder path, Title, Web Page, Company, Depart-
ment, and Manager settings?
Dsadd will be the most useful option. You can enter one command line that includes all the
parameters. By leaving the UserDN parameter empty, you can enter the users’ distinguished
names one at a time in the command console. A user object template does not allow you to
configure options including Title, Telephone Number, and Web Page. Generating a comma-
delimited text file would be time-consuming, by comparison, and would be overkill, particu-
larly when so many parameters are identical.
2. Which tool will allow you to identify accounts that have not been used for two
months?
a. Dsadd
b. Dsget
c. Dsmod
d. Dsrm
e. Dsquery
The correct answer is e.
3. What variable can be used with the Dsmod and Dsadd commands to create user-
specific home folders and profile folders?
a. %Username%
b. $Username$
c. CN=Username
d. <Username>
The correct answer is b.
4. Which tools allow you to output the telephone numbers for all users in an OU?
a. Dsadd
b. Dsget
Questions and Answers 3-67
c. Dsmod
d. Dsrm
e. Dsquery
The correct answers are b and e. Dsquery will produce a list of user objects within an OU and can
pipe that list to Dsget, which in turn can output particular properties such as phone numbers.
Page Lesson 3 Review
3-42
1. Describe how a user’s desktop is created when roaming user profiles are not
implemented.
When a user logs on to a system for the first time, the system copies the Default User profile
and creates a user-specific profile in a folder named, by default, %Systemdrive%/Documents
and Settings%Username%. The environment that the user experiences is a combination of his
or her user profile and the All Users profile.
2. Arrange, in order, the steps that reflect the creation of a preconfigured roaming
user profile. Use all steps provided.
a. Customize the desktop and user environment.
b. Log on as a user with sufficient permissions to modify user account properties.
c. Copy the profile to the network.
d. Create a user account so that the profile can be created without modifying
any user’s current profile.
e. Log on as the profile account.
f. Enter the UNC path to the profile in a user’s Profile property sheet.
g. Log on as a local or domain administrator.
1. Create a user account so that the profile can be created without modifying any user’s cur-
rent profile.
2. Log on as the profile account.
3. Customize the desktop and user environment.
4. Log on as a local or domain administrator.
5. Copy the profile to the network.
6. Log on as a user with sufficient permissions to modify user account properties.
7. Enter the UNC path to the profile in a user’s Profile property sheet.
3. How do you make a profile mandatory?
a. Configure the permissions on the folder’s Security property sheet to deny
write permission.
b. Configure the permissions on the folders Sharing property sheet to allow only
read permission.
3-68 Chapter 3 User Accounts
c. Modify the attributes of the profile folder to specify the Read Only attribute.
d. Rename Ntuser.dat to Ntuser.man.
The correct answer is d.
Page Lesson 4 Review
3-58
1. You enable the password complexity policy for your domain. Describe the
requirements for passwords and when those requirements will take effect.
The password must not be based on the user’s account name; must contain at least six char-
acters, with at least one character from three of the four categories: uppercase, lowercase, Ara-
bic numerals, and nonalphanumeric characters. The requirements will take effect immediately
for all new accounts. Existing accounts will be affected when they next change their password.
2. To monitor potential dictionary attacks against user passwords in your enterprise,
what is the single best auditing policy to configure, and what log or logs will you
evaluate?
The Audit Policy to audit Account Logon failures is the most effective policy to specify under
these circumstances. Failed logons will generate events in the Security logs of all domain con-
trollers.
3. A user has forgotten his or her password and attempts to log on several times with
an incorrect password. Eventually, the user receives a logon message indicating
that the account is either disabled or locked out. The message suggests that the
user contact an administrator. What must you do?
a. Delete the user object and recreate it.
b. Rename the user object.
c. Enable the user object.
d. Unlock the user object.
e. Reset the password for the user object.
The correct answers are d and e. Although the logon message text on Windows 2000 and ear-
lier operating system versions indicates that the account is disabled, the account is actually
locked. Windows Server 2003 displays an accurate message that the account is, in fact,
locked out. However, you can recognize the problem by examining what caused the message: a
user forgot his or her password. You must unlock the account and reset the password.
Case Scenario Exercise, Requirement 1
1. What should be modified to achieve Requirement 1?
a. The domain controller security template Hisecdc.inf
b. The Default Domain policy
Questions and Answers 3-69
c. The Default Domain Controller policy
d. The domain controller security template Ssetup Security.inf
The correct answer is b.
2. To configure account lockout so that users must contact the Help Desk to unlock
their accounts, which policy should be specified?
a. Account lockout duration: 999
b. Account lockout threshold: 999
c. Account lockout duration: 0
d. Account lockout threshold: 0
The correct answer is c.
Configure the appropriate domain policies. For guidance, refer to Lesson 4, Exercise 1.
Case Scenario Exercise, Requirement 2
1. What will be the fastest and most effective means to configure user accounts to
require a password change at the next logon?
a. Select a user account. Open its properties and, on the Account page, select
User Must Change Password At Next Logon. Repeat for each user account.
b. Press CTRL+A to select all users in the Employees OU. Choose the Properties
command and, on the Account page, select User Must Change Password At
Next Logon. Repeat for each OU.
c. Use the Dsadd command.
d. Use the Dsrm command.
e. Use the Dsquery and Dsmod commands.
The correct answer is e.
Case Scenario Exercise, Requirement 3
1. What type of profile will be most useful to maintain a locked-down desktop com-
mon to all sales representatives?
a. Local profile
b. Local, mandatory profile
c. The All Users profile
d. Preconfigured roaming group profile
e. Preconfigured roaming mandatory group profile
The correct answer is b.
3-70 Chapter 3 User Accounts
2. In Lesson 3, Exercise 5, you created a profile called Sales. You made it a manda-
tory profile by renaming Ntuser.dat to Ntuser.man. Finally, you assigned it to sev-
eral users. How can you ensure that each new sales representative uses the same
profile?
Modify the Sales Representative template account you created in Lesson 2, Exercise 1. In the
Profile tab, type the profile path: server01profilessales. Confirm the success of your work
by copying the template to create a new user account; then log on as that user. Make modifi-
cations to the desktop, log off, and log on again. The changes you made to the profile do not
persist between sessions.
4 Group Accounts
Exam Objectives in this Chapter:
■ Create and manage groups
❑ Create and modify groups by using the Microsoft Active Directory Users And
Computers MMC snap-in
❑ Identify and modify the scope of a group
❑ Manage group membership
❑ Create and modify groups by using automation
Why This Chapter Matters
Users, groups, and computers are the key objects in Active Directory directory
service because they allow workers, their managers, system administrators—any-
one using a computer on the network—to establish their identity on the network
as a security principal. Without this identification, personnel cannot gain access to
the computers, applications, and data needed to do their daily work. Although it
is true that the minimal identification required is that of a user and computer,
management of individual user security principals becomes needlessly compli-
cated unless users are organized into groups. Assigning permissions to hundreds
of users individually is not scalable; wise use of groups makes the process of cre-
ating and administering permissions much easier.
Microsoft Windows Server 2003 has two types of groups, each with three distinct
scopes. Understanding the constructions of these groups within the correct scope
ensures the best use of administrative resources when creating, assigning, and
managing access to resources. The possibilities of group construction also
depend on whether the domain or forest in which they are created is running in
the Microsoft Windows 2000 mixed, Windows 2000 native, Windows Server 2003
interim, or Windows Server 2003 domain functional level. Windows Server 2003
comes with several groups already created, or built-in. You can create as many
additional groups as you need.
Lessons in this Chapter:
■ Lesson 1: Understanding Group Types and Scopes . . . . . . . . . . . . . . . . . . . .4-3
■ Lesson 2: Managing Group Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-12
■ Lesson 3: Using Automation to Manage Group Accounts . . . . . . . . . . . . . . .4-15
4-1
4-2 Chapter 4 Group Accounts
Before You Begin
To follow and perform the practices in this chapter, you need
■ A computer designated Server01 with Windows Server 2003 installed.
■ Server01 should be a domain controller in the contoso.com domain.
Lesson 1 Understanding Group Types and Scopes 4-3
Lesson 1: Understanding Group Types and Scopes
Groups are objects that can include user, computer, and other group objects as mem-
bers. When security permissions are set for a group in the access control list (ACL) on
a resource, all members of that group receive those permissions.
Windows Server 2003 has two group types: security and distribution. Security groups
are used to assign permissions for access to network resources. Distribution groups are
used to combine users for e-mail distribution lists. Security groups can be used as an e-
mail distribution list, but distribution groups cannot be in an ACL. Proper planning of
group structure affects maintenance and scalability, especially in an enterprise environ-
ment, in which multiple organizational units (OUs), domains, or forests are involved.
Tip Although you can configure permissions for individual users and computers, doing so
should be the exception rather than the rule. The best administrative practice is to assign
permissions to groups.
After this lesson, you will be able to
■ Identify the two types of groups and their proper use
■ Identify the three types of group scope and their proper use
■ Understand the difference between groups and identities
Estimated lesson time: 15 minutes
Domain Functional Levels
In Windows Server 2003, four domain functional levels are available: Windows
2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and
Windows Server 2003.
■ Windows 2000 mixed For supporting Microsoft Windows NT 4, Windows
2000, and Windows Server 2003 domain controllers
■ Windows 2000 native For supporting Windows 2000 and Windows
Server 2003 domain controllers
■ Windows Server 2003 interim For supporting Windows NT 4 and
Windows Server 2003 domain controllers
■ Windows Server 2003 For supporting Windows Server 2003 domain
controllers
Limitations on group properties discussed in this chapter and elsewhere in this
book will refer to these domain functional levels. For more information regarding
domain functional levels, consult the Windows Help And Support Center.
4-4 Chapter 4 Group Accounts
Group Scope
Group scope defines how permissions are assigned to the group members. Windows
Server 2003 groups, both security and distribution groups, are classified into one of
three group scopes: domain local, global, and universal.
Note Although local groups are not considered part of the group scope of Windows Server
2003, they are included for completeness.
Local Groups
Local groups (or machine local groups) are used primarily for backward compatibility
with Windows NT 4. There are local users and groups on computers running Windows
Server 2003 that are configured as member servers. Domain controllers do not use local
groups.
■ Local groups can include members from any domain within a forest, from trusted
domains in other forests, and from trusted down-level domains.
■ A local group has only machinewide scope; it can grant resource permissions only
on the machine on which it exists.
Domain Local Groups
Domain local groups are used primarily to assign access permissions to global groups
for local domain resources. Domain local groups:
■ Exist in all mixed, interim, and native functional level domains and forests.
■ Are available domainwide only in Windows 2000 native or Windows Server 2003
domain functional level domains. Domain local groups function as a local group
on the domain controllers while the domain is in mixed or interim domain func-
tional level.
■ Can include members from any domain in the forest, from trusted domains in
other forests, and from trusted down-level domains.
■ Have domainwide scope in Windows 2000 native and Windows Server 2003
domain functional level domains and can be used to grant resource permission on
any computer running Windows Server 2003 within, but not beyond, the domain
in which the group exists.
Global Groups
Global groups are used primarily to provide categorized membership in domain local
groups for individual security principals or for direct permission assignment (particularly
Lesson 1 Understanding Group Types and Scopes 4-5
in the case of a mixed or interim domain functional level domain). Often, global groups
are used to collect users or computers in the same domain and share the same job, role,
or function. Global groups:
■ Exist in all mixed, interim, and native functional level domains and forests
■ Can include only members from within their domain
■ Can be made a member of machine local or domain local group
■ Can be granted permission in any domain (including trusted domains in other for-
ests and pre–Windows 2003 domains)
■ Can contain other global groups (Windows 2000 native or Windows Server 2003
domain functional level only)
Universal Groups
Universal groups are used primarily to grant access to resources in all trusted domains,
but universal groups can be used only as a security principal (security group type) in
a Windows 2000 native or Windows Server 2003 domain functional level domain.
■ Universal groups can include members from any domain in the forest.
■ In domains configured at the Windows 2000 native or Windows Server 2003
domain functional level, you can grant universal groups permissions in any
domain, including domains in other forests with which a trust exists.
Tip Universal groups can help you represent and consolidate groups that span domains
and perform common functions across the enterprise. A useful guideline is to designate
widely used groups that seldom change as universal groups.
Table 4-1 summarizes the use of Windows Server 2003 domain groups as security prin-
cipals (group type: security).
Table 4-1 Security Group Scope and Membership
Group Scope Members Can Include Group Can Be a Member of
Windows 2000 native or Windows Server 2003 domain functional level domain
Domain Local Computer accounts, users, global groups, Domain local groups in the same
and universal groups from any domain domain.
in the forest or any trusted domain.
Domain local groups from the same
domain.
4-6 Chapter 4 Group Accounts
Table 4-1 Security Group Scope and Membership
Group Scope Members Can Include Group Can Be a Member of
Global Users, computers, and global groups Global groups in same domain.
from the same domain. Domain local groups in any
domain in the forest or in any
trusting domain.
Universal Universal groups, global groups, users, Other universal groups or domain
and computers from any domain in the local groups in any domain in the
forest. forest.
Windows 2000 mixed or Windows Server 2003 interim functional level domain
Domain Local Computer accounts, users, and global Cannot be a member of any other
groups from any domain in the forest or group at these domain functional
any trusted domain. levels.
Global Only users and computers from the same Domain local groups in any
domain. domain in the forest or in any
trusting domain.
Universal Universal security groups are not available
in these domain functional levels, however
distribution groups can be created with
universal scope.
! Exam Tip Remember that global groups can contain only user, computer, and (in Windows
2000 native or Windows Server 2003 domain functional level) other global groups from the
same domain. Global groups can never contain members from other domains.
Although there are numerous possibilities for managing users and groups, as indicated
in Table 4-1, there is an important best practice for managing users, group member-
ship, and resource access in an Active Directory domain. It is described here along
with examples that relate to a forest belonging to Contoso, a global travel company
with two domains: adventure− works.com and blueyonderairlines.com.
Best Practices: An Example
Within the Contoso company users are members of global groups. (A global
group represents a role for a collection of users, which might include their job
function, location, or organizational position.) Members of the accounting depart-
ment in Adventure Works belong to the AdventureworksAccountants global
group. Similarly, accountants who work for Blue Yonder Airlines belong to the
Accountants global group in the BlueYonderAirlines domain.
In Windows 2000 native and Windows Server 2003 domain functional levels, glo-
bal groups may occasionally be members of universal groups. (A universal group
represents a role that spans multiple domains in the forest.) A universal group
Lesson 1 Understanding Group Types and Scopes 4-7
called ContosoAccountants is created. The AdventureWorksAccountants and
BlueYonderAirlinesAccountants groups are its two members. This group repre-
sents all accountants across both businesses in Contoso.
Global and universal groups are members of domain local groups. (A domain
local group represents the access required to perform a particular task.) In the
Adventure Works domain, a share is created that contains the Adventure Works
budget. Similarly, a share in the Blue Yonder Airlines domain contains the airline’s
budget. It is determined that the accountants in each business will be able to
modify the budget for their business and read the budget for the other business.
The following domain local security groups are created and assigned permissions
on the shares:
■ AdventureWorksBudget_Modify. This group is granted Modify permission to
the Adventure Works budget. Its membership consists of the AdventureWorks
Accountants group.
■ AdventureWorksBudget_Read. This group is granted Read permission to the
Adventure Works budget. Its membership consists of the ContosoAccountants
universal group. If the domain is not in Windows 2000 native or Windows
Server 2003 domain functional level, that group would not exist, so the mem-
bership of the Budget_Read group would be both the AdventureWorks
Accountants and BlueYonderAirlinesAccountants global groups.
■ BlueYonderAirlinesBudget_Modify. This group is granted Modify permission
to the airline’s budget. Its membership consists of the BlueYonderAirlines
Accountants group.
■ BlueYonderAirlinesBudget_Read. This group is granted Read permission to
the airline’s budget. Its membership consists of the ContosoAccountants univer-
sal group. If the domain is not in Windows 2000 native or Windows Server 2003
domain functional level, that group would not exist; therefore, the membership
of the Budget_Read group would be both the AdventureWorksAccountants
and BlueYonderAirlinesAccountants global groups.
Although this best practice implies a large number of groups for an organization,
it enables simplified auditing by minimizing the number of entries on an ACL and
enables flexible management of resource access. For example, if an external
auditing firm is hired to audit the budgets, the user accounts for those auditors
could be placed in a group, Auditors, and that group could be added to the
Budget_Read groups in each domain. Of course, in the real world the
Budget_Read group may be granted read permission to many budget-related
resources. By modifying a group’s membership, instead of modifying the individ-
ual ACLs of all budget-related resources, managing access to all budget-related
resources becomes significantly easier.
4-8 Chapter 4 Group Accounts
Group Conversion
You determine the scope of a group at the time of its creation. However, in a Windows
2000 native or Windows Server 2003 domain functional level domain, you can convert
domain local and global groups to universal groups, and you can convert universal
groups to global and domain local groups in the domain in which you created the uni-
versal group. You can change group scope simply by selecting the new scope in the
Group Scope pane of the group’s Properties dialog box.
Alternatively, the Dsmod command, discussed in Chapter 3 and in Lesson 3 of this
chapter, can modify group scope. For example, the following command changes the
scope of the Finance group to universal:
dsmod group “CN=Finance,OU=Groups,DC=contoso,DC=com” -scope u
Scopes of u (universal), g (global), and l (domain local) are permitted. A change of
scope is not permitted if:
■ The domain is not at Windows 2000 native or Windows Server 2003 domain func-
tional level.
■ The group’s current memberships would violate group rules if its scope were
changed. For example, if a global group, Finance, is a member of another global
group, you can’t convert the Finance group to universal scope because universal
groups cannot belong to global groups.
Tip Although a global group cannot be directly converted to a domain local group, you can
achieve such scope by converting the global group to a universal group and then converting
the universal group to a domain local group.
In a Windows 2000 native or Windows Server 2003 domain functional level domain, it
is also possible to convert a group’s type from distribution to security and from security
to distribution. Make the change in the Group Type pane of the group’s properties dia-
log box, shown in Figure 4-1, or use Dsmod group with the –secgroup no parameter.
Lesson 1 Understanding Group Types and Scopes 4-9
f04nw01
Figure 4-1 Properties page of the Sales security group
Note Be aware of the security implications of changing a security group, which may be
allowed or denied access to a resource, into a distribution group, which is no longer evalu-
ated when a user accesses that resource. It is possible that after the conversion, members
of the group might lose access to resources that the security group had allowed or might gain
access to resources that had previously been denied.
Special Identities
There are also some special groups called special identities that are managed by the
operating system. Special identities cannot be created or deleted; nor can their mem-
bership be modified by administrators. Special identities do not appear in the Active
Directory Users And Computers snap-in or in any other computer management tool,
but can be assigned permissions in an ACL. Table 4-2 details some of the special iden-
tities in Windows Server 2003.
Table 4-2 Special Identities and Their Representation
Identity Representation
Everyone Represents all current network users, including guests and users from other
domains. Whenever a user logs on to the network, that user is automatically
added to the Everyone group.
4-10 Chapter 4 Group Accounts
Table 4-2 Special Identities and Their Representation
Identity Representation
Network Represents users currently accessing a given resource over the network (as
opposed to users who access a resource by logging on locally at the computer
where the resource is located). Whenever a user accesses a given resource over
the network, the user is automatically added to the Network group.
Interactive Represents all users currently logged on to a particular computer and accessing
a given resource located on that computer (as opposed to users who access the
resource over the network). Whenever a user accesses a given resource on the
computer to which they are logged on, the user is automatically added to the
Interactive group.
Anonymous The Anonymous Logon group refers to any user who is using network
Logon resources but did not go through the authentication process.
Authenticated The Authenticated Users group includes all users who are authenticated into
Users the network by using a valid user account. When assigning permissions, you
can use the Authenticated Users group in place of the Everyone group to pre-
vent anonymous access to resources.
Creator The Creator Owner group refers to the user who created or took ownership of
Owner the resource. For example, if a user created a resource, but the Administrator
took ownership of it, then the Creator Owner would be the Administrator.
Dialup The Dialup group includes anyone who is connected to the network through a
dialup connection.
Caution These groups can be assigned permissions to network resources, although cau-
tion should be used when assigning some of these groups permissions. Members of these
groups are not necessarily users who have been authenticated to the domain. For instance, if
you assign full permissions to a share for the Everyone group, users connecting from any
trusted domains will have access to the share.
Practice: Changing the Group Type and Scope
In this practice, you get hands-on experience creating groups and modifying their scope.
Exercise 1: Creating and Modifying a Group
In this exercise, you will change the type of group and its scope.
1. In Active Directory Users And Computers, create a global distribution group in the
Users container called Agents.
2. Right-click the Agents group, and then choose Properties.
Lesson 1 Understanding Group Types and Scopes 4-11
Can you change the scope and type of the group? If not, why not?
If you cannot change the type and scope of the group, the domain in which you
are operating is still in mixed or Windows Server 2003 interim domain functional
level. You must raise the domain functional level to either Windows 2000 native or
Windows Server 2003 to change group type or scope.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What type of domain group is most like the local group on a member server? How
are they alike?
2. If you are using universal groups in your domain or forest, and you need to give
permission-based access to the members of the universal group, what configura-
tion must be true of the universal group?
3. In a domain running in Windows Server 2003 domain functional level, what secu-
rity principals can be a member of a global group?
Lesson Summary
■ There are two types of groups: security and distribution. Security groups can be
assigned permissions whereas distribution groups are used for query containers,
such as e-mail distribution groups, and cannot be assigned permissions to a
resource.
■ Security permissions for a group are assigned in an ACL just as any other security
principal such as a user or computer.
■ In Windows 2000 native or Windows Server 2003 domain functional level, groups of
both security and distribution type can be constructed as domain local, global, or uni-
versal, each with a different scope as to which security principals they can contain.
4-12 Chapter 4 Group Accounts
Lesson 2: Managing Group Accounts
The Active Directory Users And Computers MMC is the primary tool you will use to
administer security principals—users, groups, and computers—in the domain. In the
creation of groups, you will configure the scope, type, and membership for each. You
will also use the Active Directory Users And Computers MMC to modify membership of
existing groups.
After this lesson, you will be able to
■ Create a group
■ Modify the membership of a group
■ Find the domain groups to which a user belongs
Estimated lesson time: 10 minutes
Creating a Security Group
The tool that you will use most often for creating groups is the Active Directory Users
And Computers MMC, which you can find in the Administrative Tools folder. From
within the Active Directory Users And Computers MMC, right-click the details pane of
the container within which you want to create the group, and choose New, Group.
You then must select the type and scope of group that you want to create.
The type of group that you will create most often is a security group because this is the
type of group you use to assign permissions in an ACL. In a mixed or interim domain
functional level domain, you can create a security group of only domain local or global
scope. As Figure 4-2 illustrates, you cannot create a security group that has universal
scope in domains that are at mixed or interim domain functional level.
f04nw02
Figure 4-2 Security groups in mixed or interim functional level domains
Lesson 2 Managing Group Accounts 4-13
You can, however, create domain local, global, and universal groups as a distribution
type in a mixed or interim domain functional level domain. At the Windows 2000
native or Windows Server 2003 domain functional level, you can create both security
and distribution groups with any scope.
Modifying Group Membership
Adding or deleting members from a group is also accomplished through Active Direc-
tory Users And Computers. Right-click any group, and choose Properties. Figure 4-1
illustrates the Properties dialog box of a global security group called Sales.
Table 4-3 explains the member configuration tabs of the Properties dialog box.
Table 4-3 Membership Configuration
Tab Function
Members Adding, removing, or listing the security principals that belong to this group
Member Of Adding, removing, or listing the groups to which this group belongs
Practice: Modifying Group Membership
In this practice, you will work with group memberships and nesting to identify which
combinations of group memberships are possible.
Exercise 1: Nesting Group Memberships
1. If the domain functional level is not already set to Windows Server 2003, use the
Active Directory Users And Computers MMC to raise the domain functional level
to Windows Server 2003.
2. Create three global groups in the Users OU: Group 1, Group 2, and Group 3.
3. Create three user accounts: User 1, User 2, and User 3.
4. Make User 1, User 2, and User 3 members of Group 1.
5. Make Group 1 a member of Group 2.
Which groups can now be converted to universal groups? Test your theory. (You
should be able to convert 2 of the 3 groups without error.)
4-14 Chapter 4 Group Accounts
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. In the properties of a group, which tab will you access to add users to the group?
2. You want to nest the IT Administrators group responsible for the Sales group
inside the Sales group so that its members will have access to the same resources
(set by permissions in an ACL) as the Sales group. From the Properties page of the
IT Administrators group, what tab will you access to make this setting?
3. If your environment consists of two domains, one Windows Server 2003 and one
Windows NT 4, what group scopes can you use for assigning permissions on any
resource on any domain-member computer?
Lesson Summary
■ Modifying group memberships is accomplished through Active Directory Users
And Computers.
■ If you access the properties of a security principal that is to be a member of a
group, you set the group membership in the Members Of tab of the Security prin-
cipal’s properties. If you access the container (group) that is to hold members, set
the members of the container on the Members tab.
■ Groups can be nested when the domain in which they reside is set to either the
Windows 2000 native or Windows Server 2003 domain functional level. If the
domain is in mixed or interim domain functional level, which means that you are
still supporting Windows NT 4 domain controllers, no group nesting is possible.
■ Changing the type or scope of a group is only possible when the domain func-
tional level is Windows 2000 native or Windows Server 2003.
Lesson 3 Using Automation to Manage Group Accounts 4-15
Lesson 3: Using Automation to Manage Group Accounts
Although the Active Directory Users And Computers MMC is a convenient way to cre-
ate and modify groups individually, it is not the most efficient method for creating large
numbers of security principals. A tool included with Windows Server 2003, Ldifde.exe,
facilitates the importing and exporting of larger numbers of security principals, includ-
ing groups.
After this lesson, you will be able to
■ Import security principals with Ldifde
■ Export security principals with Ldifde
■ Use the Dsadd and Dsmod commands to create and modify groups
Estimated lesson time: 30 minutes
Real World Account Creation
Often you will have a collection of data that already has a great deal of the infor-
mation with which you will populate your Windows Server 2003 Active Directory.
The data might currently be in an existing directory such as Windows NT 4.0,
Windows 2000 Active Directory, Novell Directory Services (NDS), or some other
type of database. (Human Resources departments are famous for compiling data,
for example.)
If you have this user data available, you can use it to populate Active Directory.
Many tools are available to facilitate the transfer of data between directory ser-
vices, such as Ldifde.exe. In addition, most database programs have the built-in
capacity to export their data into a comma-separated value (CSV) file, which
Csvde.exe can import.
Using Csvde
Csvde, discussed in detail in Chapter 3, “User Accounts,” supports the creation of
objects from comma-separated text files. The following example shows a .csv file that
will create a group, Marketing, and populate the group with two initial members:
Dan Holme and Scott Bishop. The objects listed in the member attribute must already
exist in the directory service. The distinguished names (DNs) of member objects are
separated by semicolons.
objectClass,sAMAccountName,DN,member
group,Marketing,"CN=Marketing,OU=Employees,DC=contoso,DC=com",
“CN=Dan Holme,OU=Employees,DC=contoso,DC=com;CN=Scott Bishop,
OU=Employees,DC=contoso,DC=com”
4-16 Chapter 4 Group Accounts
You could import this file into Active Directory using the command:
csvde -i -f filename.csv
Using Ldifde
The Ldifde command allows you to import and export accounts using Lightweight
Directory Access Protocol (LDAP) file formats. It is explained in the Windows Help
And Support Center (search for “Ldifde”). Figure 4-3 lists the primary commands used
with Ldifde displayed by typing ldifde /? at the command prompt.
f04nw03
Figure 4-3 Ldifde command-line help file
The two most important switches for the Ldifde command are:
■ -i Turn on Import mode. (The default is Export.)
■ -f FileName: the Input or Output FileName
For example, the following command will import objects from the file named
Groups.ldf:
ldifde.exe –i –f groups.ldf
Table 4-4 details the primary Ldifde commands.
Lesson 3 Using Automation to Manage Group Accounts 4-17
Table 4-4 Ldifde Commands (Primary)
Command Usage
General parameters
-i Turn on Import mode (The default is Export)
-f filename Input or Output filename
-s servername The server to bind to
-c FromDN ToDN Replace occurrences of FromDN to ToDN
-v Turn on Verbose mode
-j path Log File Location
-t port Port Number (default = 389)
-? Help
Export specific parameters
-d RootDN The root of the LDAP search (Default to Naming Context)
-r Filter LDAP search filter (Default to “(objectClass=*)”)
-p SearchScope Search Scope (Base/OneLevel/Subtree)
-l list List of attributes (comma-separated) to look for in an LDAP search
-o list List of attributes (comma-separated) to omit from input
-g Disable paged search
-m Enable the Security Accounts Manager (SAM) logic on export
-n Do not export binary values
Import specific parameters
-k The import will ignore “Constraint Violation” and “Object Already Exists”
errors
Credentials parameters
-a UserDN Sets the command to run using the supplied user distinguished name and
password; for example: “cn=administrator,dc=contoso,dc-com password”
-b UserName Sets the command to run as username domain password; the default is to
Domain run using the credentials of the currently logged-on user
Note The Ldifde utility is included in Windows Server 2003, and you can copy it to a com-
puter running Windows 2000 Professional or Windows XP. It can then be bound and used
remotely to the Windows Server 2003 Active Directory.
The format of the file used by Ldifde is not quite as intuitive as the CSV file format.
Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) is a draft
Internet standard for a file format used to perform batch operations against directories
that conform to LDAP standards. You can use LDIF to both import and export data,
4-18 Chapter 4 Group Accounts
allowing batch operations such as add, create, delete, and modify to be performed
against Active Directory. The Ldifde command-line utility included in Windows Server
2003 supports batch operations based on the LDIF file format standard. Therefore, the
LDIF file format is to Ldifde what the CSV file format is to Csvde.
The LDIF file format consists of attribute names followed by a colon and the value of
the attribute. As an example, suppose that you wanted to use Ldifde to create two glo-
bal groups named Marketing and Finance in the Users container of the contoso.com
domain. The contents of the LDIF file would look similar to the following example:
DN: CN=Marketing,CN=Users,DC=Contoso,DC=Com
changeType: add
CN: Marketing
description: Marketing Users
objectClass: group
sAMAccountName: Marketing
DN: CN=Finance,CN=Users,DC=Contoso,DC=Com
changeType: add
CN: Finance
description: Finance Users
objectClass: group
sAMAccountName: Finance
Although doing so is not strictly required, you would usually save this text file with a
.ldf extension—for example, Groups.ldf. The changeType entry is not an attribute
name. Instead, its value specifies the type of operation that needs to occur. The three
valid changeType values are add, modify, and delete. As the names suggest, add will
import new content into the directory, modify will change the configuration of existing
content, and delete will remove the specified content.
To import the contents of the LDIF file shown above, the command would be:
ldifde.exe –i –f groups.ldf
After this command is issued, two new global groups named Marketing and Finance
would be added to the Users container of the contoso.com domain. To add two mem-
bers to a group using Ldifde, the LDIF file would be:
dn: CN=Finance,CN=Users,DC=Contoso,DC=Com
changetype: modify
add: member
member: CN=Dan Holme,OU=employees,dc=contoso,dc=com
member: CN=Scott Bishop,OU=employees,dc=contoso,dc=com
-
The changetype is set to modify and then the change operation is specified: add
objects to the member attribute. Each new member is then listed on a separate line that
begins with the attribute name, member. The change operation is terminated with a
Lesson 3 Using Automation to Manage Group Accounts 4-19
line containing a single dash. Changing the third line to the following would remove
the two specified members from the group:
delete: member
! Exam Tip Both Csvde and Ldifde provide import and export capabilities, allowing large
numbers of security principals (including users or groups) to be created at once with the least
possible administrative effort. However, the Ldifde command and its file structure are
nowhere near as intuitive for administrators as the comma-delimited file supported by Csvde.
For the 70-290 certification examination, you should understand that both commands are
able to import and export objects using their respective file formats. Only Ldifde is capable of
modifying existing objects or removing objects.
Creating Groups with Dsadd
The Dsadd command, introduced in Chapter 3, is used to add objects to Active Direc-
tory. To add a group, use the syntax
dsadd group GroupDN…
The GroupDN… parameter is one or more distinguished names for the new user
objects. If a DN includes a space, surround the entire DN with quotation marks. The
GroupDN… parameter can be entered one of the following ways:
■ By piping a list of DNs from another command such as dsquery.
■ By typing each DN on the command line, separated by spaces.
■ By leaving the DN parameter empty, at which point you can type the DNs, one at
a time, at the keyboard console of the command prompt. Press ENTER after each
DN. Press CTRL+Z and ENTER after the last DN.
The Dsadd Group command can take the following optional parameters after the DN
parameter:
■ -secgrp {yes | no} determines whether the group is a security group (yes) or a dis-
tribution group (no). The default value is yes.
■ -scope {l | g | u} determines whether the group is a domain local (l), global (g, the
default), or universal (u).
■ -samid SAMName
■ desc Description
■ -memberof GroupDN... specifies groups to which to add the new group
■ -members MemberDN... specifies members to add to the group
4-20 Chapter 4 Group Accounts
As discussed in Chapter 3, you can add -s, -u, and -p parameters to specify the domain
controller against which Dsadd will run, and the user name and password—the cre-
dentials—that will be used to execute the command.
■ {-s Server | -d Domain}
■ -u UserName
■ -p {Password | *}
For example, to create a new global security group named Marketing in the Employees
OU of the Contoso.com domain, the command would be:
dsadd group “CN=Marketing,OU=Employees,DC=Contoso,DC=Com”
–samid Marketing –secgrp yes –scope g
Retrieving Group Attributes with Dsget
The Dsget command, introduced in Chapter 3, returns specified attributes from one or
more objects. The Dsget command has a particularly useful role with groups: it can
return the list of members of a group. For example, the following command returns a
list of DNs of each member of the Sales group:
dsget group “CN=Sales,OU=Employees,DC=Contoso,DC=Com” –members
! Exam Tip Dsquery returns a list of objects in Active Directory based on properties speci-
fied as search criteria. It is the most common way to produce a list of DNs to pipe to another
directory service command. Dsget, however, is the only directory service command that pro-
duces a list of DNs of members of a group.
Finding the Domain Groups to Which a User Belongs
Active Directory allows for flexible and creative group nesting, where
■ Global groups can nest into other global groups, universal groups, or domain local
groups.
■ Universal groups can be members of other universal groups or domain local
groups.
■ Domain local groups can belong to other domain local groups.
This flexibility brings with it the potential for complexity, and without the right tools,
it would be difficult to know exactly which groups a user belongs to, whether directly
or indirectly. Fortunately, the Dsget command solves the problem. From a command
prompt, type:
dsget user UserDN -memberof [- expand]
Lesson 3 Using Automation to Manage Group Accounts 4-21
The -memberof switch returns the value of the MemberOf attribute, showing the
groups to which the user directly belongs. By adding the -expand switch, those groups
are searched recursively, producing an exhaustive list of all groups to which the user
belongs in the domain.
Modifying Groups with Dsmod
The Dsmod command, introduced in Chapter 3, is used to modify objects in Active
Directory. To modify a group, use the syntax
dsmod group GroupDN…
The command takes many of the same switches as Dsadd Group, including - samid, -desc,
-secgrp, and -scope. Typically, though, you won’t be changing those attributes of an exist-
ing group. Rather, the most useful switches are those that let you modify the membership
of a group, specifically
■ -addmbr MemberDN Adds members to the group specified in Group
■ -rmmbr MemberDN Removes members from the group specified in Group
As with all directory service commands, the MemberDN is the full, distinguished name
of another Active Directory object, surrounded by quotation marks if there are any
spaces in the DN.
Note On any one command line, you can use only -addmbr or -rmmbr. You cannot use both
in a single Dsmod Group command.
For example, if your goal were to add a user named David Jones in the Employees OU
of contoso.com to the Marketing global security group, the proper Dsmod Group com-
mand would be:
dsmod group “CN=Marketing,OU=Employees,DC=Contoso,DC=Com”
-addmbr “CN=David Jones,OU=Employees,DC=Contoso,DC=Com”
You can use Dsget in combination with Dsmod to copy group membership. In the fol-
lowing example, the Dsget command is used to get information about all the members
of the Sales group and then, by piping that list to Dsmod, to add those users to the Mar-
keting group:
dsget group “CN=Sales,OU=Employees,DC=Contoso,DC=Com” –members |
dsmod group “CN=Marketing,OU=Employees,DC=Contoso,DC=Com” -addmbr
4-22 Chapter 4 Group Accounts
Moving and Renaming Groups with Dsmove
The Dsmove command, introduced in Chapter 3, allows you to move or rename an
object within a domain. You cannot use it to move objects between domains. Its basic
syntax is:
dsmove ObjectDN [-newname NewName] [-newparent ParentDN]
The object is specified using its distinguished name in the parameter ObjectDN. To
rename the object, specify its new common name in the NewName parameter. To move
an object to a new location, specify the distinguished name of a container through the
ParentDN parameter.
For example, to change the name of the Marketing group to Public Relations, type:
dsmove “CN=Marketing,OU=Employees,DC=Contoso,DC=Com” –newname
“Public Relations”
To then move that group to the Marketing OU, type:
dsmove “CN=Public Relations,OU=Employees,DC=Contoso,DC=Com”
–newparent “OU=Marketing,DC=Contoso,DC=Com”
Note You can also move or rename a group in the Active Directory Users And Computers
MMC or snap-in by selecting the group and choosing Move or Rename from the Action menu
or the shortcut menu.
Deleting Groups with Dsrm
Dsrm, introduced in Chapter 3, can be used to delete a group. The basic syntax is:
dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt] [-c]
The object is specified by its distinguished name in the ObjectDN parameter. You will
be prompted to confirm the deletion of each object unless you specify the -noprompt
parameter. The -c switch puts Dsrm into continuous operation mode, in which errors
are reported but the command keeps processing additional objects. Without the -c
switch, processing halts on the first error.
To delete the Public Relations group, type:
dsrm “CN=Public Relations,OU=Marketing,DC=Contoso,DC=Com”
Lesson 3 Using Automation to Manage Group Accounts 4-23
Using VBScript to Automate Group Administration
The 70-290 certification examination objectives expect you to have a rudimentary under-
standing of using scripts written in the VBScript scripting language. You will need to be
able to recognize, but not necessarily create, simple VBScript operations. However, a
more detailed understanding of VBScript is a very useful competency for real-world
administration of Active Directory. Because the use of VBScript cuts across multiple top-
ics, including the administration of both users and groups, we have included a sup-
plement entitled “Using VBScript to Automate User and Group Administration” on the
CD-ROM accompanying this book.
On the CD Be sure to read the supplement “Using VBScript to Automate User and Group
Administration” on the CD-ROM accompanying this book.
Practice: Using Ldifde to Manage Group Accounts
In the following exercises, you list the options available for Ldifde, exporting users
from the Active Directory, and creating a group object in the directory.
Exercise 1: Starting Ldifde
In this exercise, you list the command options available with Ldifde.
1. Open a Command Prompt.
2. For a list of commands, at the command prompt, type ldifde /?.
Exercise 2: Exporting the Users from an Organizational Unit
In this exercise, you will export the entire contents of an OU named Marketing, com-
plete with all its users, from the contoso.com domain.
1. In the contoso.com domain (Server01 is a domain controller for contoso.com),
create an OU named Marketing.
2. In the Marketing OU, add two or three users. These users may be named whatever
you choose.
3. Open a command prompt and type the following Ldifde command (the character
: indicates continuation to the next line)
ldifde -f marketing.ldf -s server01 :
-d “ou=Marketing,dc=contoso,dc=com” :
-p subtree -r : “(objectCategory=CN=Person,CN=Schema,CN=Configuration,:
DC=contoso,DC=com)”
Figure 4-4 shows the code in action.
4-24 Chapter 4 Group Accounts
f04nw04
Figure 4-4 Output of LDIFDE export–Marketing OU
This creates an LDIF file named Marketing.ldf by connecting to the server named
Server01 and executing a subtree search of the Marketing OU for all objects of the cate-
gory Person.
Exercise 3: Using Ldifde to Create a Group
In this exercise, you will use Ldifde to add a group named Management to the Market-
ing OU of contoso.com.
1. Start a text editor, such as Notepad, and create a text file named Newgroup.ldf.
(Save the file as an LDIF file, not as a text file.)
2. Edit the LDIF file Newgroup.ldf, and add the following text:
dn: CN=Management,OU=Marketing,DC=contoso,DC=com
changetype: add
cn: Management
objectClass: group
samAccountName: Marketing
3. Save and close the LDIF file.
4. Open a Command Prompt, type the following command, and then press ENTER:
ldifde -i -f newgroup.ldf -s server01
Tip Watch for extra “white space” (tabs, spaces, carriage returns, line feeds) in the file.
Extra white space in the file will cause the command to fail.
5. To confirm that the new group has been created, check the Active Directory Users
And Computers snap-in.
Lesson 3 Using Automation to Manage Group Accounts 4-25
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. Which of the following Ldifde commands changes the function of Ldifde from
export to import?
a. -i
b. -t
c. -f
d. -s
2. What object classes are possible to export and import using Ldifde?
3. You have a database of users that is capable of exporting CSV files. Can you use
such a file, or must you create an *.ldf file manually for importing?
Lesson Summary
■ Ldifde is an included tool with Windows Server 2003 that allows for the importing
and exporting of data into and out of Active Directory.
■ If you have an existing directory of user data, you can use Ldifde to export the
desired data for importing into Active Directory, which is, generally, a more effi-
cient process than creating each element individually by hand. CSV files are usable
so long as the data is correctly formatted, with all required elements included and
in their proper order.
■ Ldifde can be copied from a Windows Server 2003 to a Windows 2000 or Windows
XP desktop for use with Active Directory.
Case Scenario Exercise
You are in the process of building your Active Directory and have some user data from the
Human Resources department that includes first and last name, address, and telephone
4-26 Chapter 4 Group Accounts
number. Company policy states that the user logon name should be the combination of
first name or initial and last name. (For example, Ben Smith would be bsmith.)
You have 500 users, 30 groups, and 10 OUs. In practical terms, what is the best way to
get your Active Directory set up as quickly and easily as possible?
Troubleshooting Lab
Creating individual objects (users, groups, and computers) in your Active Directory is
a straightforward process, but finding objects and their associations after many objects
have been created can present challenges. In a large, multiple-domain environment (or
in a complicated smaller one), solving resource access problems can be difficult. For
example, if Sarah can access some but not all of the resources that are intended for her,
she might not have membership in the groups that have been assigned permissions to
the resources.
If you have multiple domains with multiple OUs in each domain, and multiple, nested
groups in each of those OUs, it could take a great deal of time to examine the mem-
bership of these many groups to determine whether the user has the appropriate mem-
bership. Active Directory Users And Computers would not be the best tool choice.
You will use the Dsget command to get a comprehensive listing of all groups of which
a user is a member. For the purposes of this lab, the user Ben Smith in the contoso.com
domain, the Users OU, will be used.
1. Choose a user in your Active Directory to use as a test case for the steps that fol-
low. If you do not have a construction that is to your liking, create a number of
nested groups across several OUs, making the user a member of only some of the
groups.
2. Open a command prompt.
3. Type the following command (substituting your selected user name and OU for
Ben Smith):
dsget user “CN=Ben Smith,CN=Users,DC=contoso,DC=com"
-memberof -expand
The complete listing of all groups of which the user is a member is displayed.
Chapter Summary
■ Groups may be created within any OU within Active Directory.
■ There are two types of groups: security and distribution.
■ There are three scopes of groups: domain local, global, and universal.
Chapter 4 Group Accounts 4-27
■ Manual creation of groups is accomplished with the Active Directory Users And
Computers MMC.
■ Automated creation of groups is accomplished with the Ldifde command-line tool.
■ Directory Services Tools such as Dsquery, Dsget, and Dsmod can be used to list,
create, and modify groups and their membership.
■ Group types can be changed only when the domain functional level is at least
Windows 2000 native.
■ Advanced group nesting is possible only when the domain functional level is at
least Windows 2000 native.
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice and review the “Further Reading” sections in Part 2 for pointers to more informa-
tion about topics covered by the exam objectives.
Key Points
■ The types of groups and their available uses depending on the domain functional
level
■ The scope of groups and their various nesting constructions depending on the
domain functional level
■ The basic use of Active Directory Users And Computers in creating groups and
modifying their membership
■ The basic use of Ldifde for exporting groups from one directory to another and in
creating groups
■ The basic use of Dsget for listing complete group memberships for a user
Key Terms
domain local group (scope) In mixed or interim domain functional level, these
local groups are available only on domain controllers, not domainwide.
global group (scope) A group that is available domainwide in any domain func-
tional level.
universal group (scope) A group that can be available domainwide in any func-
tional level, but limited to distribution scope in Windows 2000 mixed and Windows
Server 2003 interim domain functional levels.
security group (type) Can have permissions assigned in an ACL.
distribution group (type) Cannot have permissions assigned in an ACL.
4-28 Chapter 4 Group Accounts
Questions and Answers
Page Lesson 1 Review
4-11
1. What type of domain group is most like the local group on a member server? How
are they alike?
Domain local groups are very similar to local groups on a member server in that they are, in a
mixed or Windows Server 2003 interim domain functional level domain, limited to the comput-
ers on which they reside—in the case of domain local groups, the domain controller. Until the
domain functional level is raised to Windows 2000 native or Windows Server 2003, the domain
local groups cannot be used for permission assignment on any servers in the domain other
than the domain controllers.
2. If you are using universal groups in your domain or forest, and you need to give
permission-based access to the members of the universal group, what configura-
tion must be true of the universal group?
For the universal group:
❑ The domain functional level must be Windows 2000 native or Windows Server 2003.
❑ The universal group must be of the type security (not distribution).
0 comments
Post a comment